FBI Dismantles Chinese-Linked Botnet of 260,000 IoT Devices

The FBI, in collaboration with U.S. government agencies, dismantled a Chinese state-backed botnet known as Flax Typhoon, comprising 260,000 compromised IoT devices. This operation neutralized a major cyber threat to U.S. infrastructure.

In a major blow to state-sponsored cyber malicious activity, the FBI, in cooperation with other U.S. government agencies, has successfully dismantled a massive botnet linked to Chinese government-backed hackers.

Known as Flax Typhoon or Raptor Train, the botnet comprised around 260,000 compromised Internet of Things (IoT) devices globally. The network was reportedly designed to steal sensitive information and disrupt critical services in the U.S. and other nations.

The compromised devices included a widespread network of IoT hardware such as cameras, routers, storage units, and video recorders. According to the joint advisory issued by the Federal Bureau of Investigation (FBI), Cyber National Mission Force (CNMF), and National Security Agency (NSA), the operation not only removed malware from these devices but also severed their links to the larger botnet, making the network powerless.

The takedown came just seven months after, in February 2024, the agency dismantled the KV Botnet, which was used by Volt Typhoon, another Chinese state-sponsored threat actor group.

Scope of the Botnet

The FBI operation reveals the global reach of the botnet. The United States accounted for nearly half of the compromised devices, reflecting the strategic focus on U.S. infrastructure. Other nations, including Vietnam, Germany, and Canada, also faced significant exposure, showing the worldwide threat posed by the botnet.

Country

Node Count

Percentage

United States

126,000

47.9%

Vietnam

21,100

8.0%

Germany

18,900

7.2%

Romania

9,600

3.7%

Hong Kong

9,400

3.6%

Canada

9,200

3.5%

South Africa

9,000

3.4%

United Kingdom

8,500

3.2%

India

5,800

2.2%

France

5,600

2.1%

Bangladesh

4,100

1.6%

Italy

4,000

1.5%

Lithuania

3,300

1.3%

Albania

2,800

1.1%

Netherlands

2,700

1.0%

China

2,600

1.0%

Australia

2,400

0.9%

Poland

2,100

0.8%

Spain

2,000

0.8%

The table shows Botnet Devices per Country

Global Reach and Architecture

The botnet’s impact extended across multiple continents, with North America being the most affected region. Europe and Asia also experienced significant infection rates, while Africa and Oceania had smaller shares. This geographical spread shows the global vulnerability of IoT devices and the strategic use of botnets in cyber warfare.

Continent

Node Count

Percentage

North America

135,300

51.3%

Europe

65,600

24.9%

Asia

50,400

19.1%

Africa

9,200

3.5%

Oceania

2,400

0.9%

South America

800

0.3%

The table shows Botnet Devices per Continent

The operation also exposed the types of processors used by the infected devices. The majority were based on the x86 architecture, followed by MIPS and ARM systems, highlighting how a wide array of devices, often lacking sufficient security protocols, can be easily hijacked and integrated into malicious networks.

The full list of vulnerabilities exploited by the botnet, Indicators of Compromise (IoC), and compromised vendors is available here (PDF).

Implications for Global Cybersecurity

The successful dismantling of the botnet not only neutralizes a major threat to U.S. infrastructure but also sends a strong message to other nation-state actors. Additionally, as IoT devices become an integral part of our daily lives, they will increasingly become lucrative targets for cybercriminals. To protect your IoT devices, follow these simple yet vital guidelines:

• Change Default Passwords: Always update default usernames and passwords on IoT devices to strong, unique credentials.
• Regularly Update Firmware: Ensure your IoT devices are running the latest firmware to patch any security vulnerabilities.
• Disable Unnecessary Features: Turn off features or services you don’t need, such as remote access, to reduce potential entry points for attackers.
• Use a Separate Network: Set up a dedicated network for IoT devices to isolate them from more sensitive devices like computers and smartphones.
• Enable Encryption: If available, activate encryption settings to protect data transmitted by your IoT devices from being intercepted.

1. Mozi Botnet Takedown: Who Killed the IoT Zombie Botnet?
2. Qakbot Botnet Disrupted, Infected 700,000 Computers Globally
3. 4 Arrested as Operation Endgame Disrupts Ransomware Botnets
4. Operator of Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US
5. Google Removes Swing VPN Android App Exposed as DDoS Botnet