Zombie Networks

What Is a Zombie Network?

A zombie network is a collection of devices, connected through the internet, that a cybercriminal has compromised. The criminal can then control the computers, using them for all manner of nefarious purposes. The owners and users of the zombie computers are usually unaware that anything is amiss. This means that your business or your home computer could inadvertently be aiding cybercriminals in their activity.

What Are Zombie Networks Used for?

Cybercriminals use zombie networks for a range of purposes, none of them nice. Also known as a botnet, a zombie network gives cybercriminals a powerful foundation from which to:

  • launch distributed denial-of-service (DDoS) attacks (to overwhelm websites and services)
  • perform degradation of service attacks (to periodically slow down web services and sites)
  • spread email spam
  • “mine” cryptocurrency or otherwise commandeer your device’s processing power
  • send out spyware and adware
  • coordinate click fraud
  • undertake a range of other damaging activities

All of these can represent a risk to genuine businesses, ranging from minor irritations to zombie network attacks that can bring down entire services. This can cost the target business hugely, both in terms of dealing with the immediate impact of the attack and in an elevated customer churn rate due to the impact of it (for example, due to services being unavailable during a DDoS attack). 

In addition to targeting businesses, cybercriminals use zombie networks to commit bot attacks on government agencies and countries. According to StormWall, numerous forms of attacks increased in 2022, including a 74% uptick in DDoS attacks during the year, making it a greater priority to invest in bot mitigation software.

Want to See How SEON Can Help You?

Our fraud detection tool helps improve the customer experience, minimize the need for manual review, and boost your growth and revenue.

Ask an Expert

How Do Zombie Networks Work?

Cybercriminals control zombie networks remotely through HTTP, Internet Relay Chat (IRC), and similar standards-based networking protocols. They join computers to the network through hacking, malware, worms, viruses, and trojans.

The first action in setting up a network of zombie computers is for the cybercriminal to infect other computers using a worm or virus. Once infected, each zombie computer logs on to an IRC or web server that the cybercriminal controls.

Each zombie computer that the criminal manages to add to the network provides them with additional power. The bigger the network, the more devastating a zombie network attack has the potential to be.

The creation of networks of zombie computers such as these can be one form of fraud as a service (FaaS). The person operating the zombie network can make money by leasing their network to other cybercriminals, enabling them to undertake DDoS attacks, send out spam, and more. The network operator makes a profit out of the exchange, while the cybercriminal leasing the network can make use of its power without having to set it up and with a reduced risk of detection.

Top Five Signs Your Computer Is a Part of a Zombie Network

Most people using a compromised computer are unaware that it is part of a network of zombie devices. However, there are certain signs to watch out for, which can indicate that something is amiss. These include:

·  slower performance

·  reduced hard drive space

·  frequent crashes and/or web browser closures

·  longer shut-down and start-up processes

·  strange error messages

Another telltale sign is messages in your email outbox, or other social media outbox, that you didn’t send. This could mean someone is using your computer to send out spam.

Examples of Zombie Networks

There have been plenty of instances of zombie network attacks over the years. The examples below give a flavor of the disruption that such networks can cause.


Back in 2000, a sixteen-year-old Canadian boy known online as Mafiaboy knocked out CNN, Yahoo, Amazon, and eBay, along with other commercial sites. He used a zombie network containing millions of computers in one of the largest DDoS attacks ever staged at the time.


Over a decade after Mafiaboy wreaked havoc with his DDoS attack, another zombie network captured the headlines – a banking information theft network known as Zeus. Zeus didn’t just gather Windows machines into the fold, but also mobile devices, from which it stole online banking codes through man-in-the-middle attacks. US Marshals succeeded in partially taking apart the zombie network in 2012, five years after it first appeared, but it rose again as Gameover Zeus and as a contributor to Cryptolocker. Copycats and derivatives of the original Zeus infection remain in circulation to this day.


The Mirai malware was originally used to create a zombie network in order to attack Minecraft gaming servers so that Mirai’s creators could launch DDoS attacks that would enable them to make money from Minecraft. Since then, however, Mirai has contributed to a wide range of zombie network attacks. One of the most recent, in 2023, saw Mirai target Linux-based servers and Internet of Things devices.

Reduce Fraud Rates by 70–99%

Partner with SEON to reduce fraud rates in your business with real-time data enrichment, whitebox machine learning, and advanced APIs.

Ask an Expert

How to Protect Against a Zombie Network

If you’re seeking to protect your machine from becoming a zombie computer, start with a healthy dose of common sense. That means not clicking suspicious email or text message links and not downloading any files from suspect websites. Adopting a holistic internet safety mindset means that you probably shouldn’t connect to these websites at all.

Businesses should ensure they have robust security in place, including antivirus, antispam, anti-DDoS, and other forms of protection. Companies with bring-your-own-device policies should ensure that security covers those laptops, smartphones, tablets, and other devices as well. These policies should be complemented with a modern and regularly updated system of training and awareness of pervasive threats currently in the ecosystem.

For organizations that suspect one or more of their machines may have already been compromised, there are a couple of options. One is to use firewall software, setting it to maximum security and then monitoring network requests to try and identify any suspicious activity and applications. However, this method is time-consuming and can be unreliable, as you may end up deleting applications that are essential to the effective running of the machine.

Another approach is to undertake a complete wipe of the infected machine and restore from backup. But this is a pain for the IT team and for the user.

The best approach is to use the right tools in the first place, to ensure your business doesn’t end up inadvertently helping cybercriminals carry out attacks. Between velocity checks, device fingerprinting, digital footprinting, and more, it is possible to detect attacks and prevent them from damaging your business.

Related Terms

Related Articles

Contact Us for a Demo

Feel free to reach out to us for a demo!