China’s Botnet Scandal: Your Router’s Secret Life!

The National Cyber Security Centre (NCSC) and 15 international partners issued a joint advisory. It warns that China-linked threat actors are hiding attacks behind networks of compromised everyday internet devices.

Oh, great, another day, another cyber threat. But this time, it’s not just your bank account-it’s your router, your smart fridge, your old web camera. Because apparently, China’s got a botnet so big, it’s like a digital army of forgotten devices.

Botnets Built From Compromised Home Devices

The document identifies a pattern across Volt Typhoon and Flax Typhoon operations. In each case, traffic passes through compromised small office and home office routers before reaching its target. Because nothing says “I’m a hacker” like using your neighbor’s Wi-Fi.

These covert networks help China-linked operators scan targets, deliver malware, and exfiltrate data. They also obscure the origin of each attack. Because nothing says “I’m innocent” like a trail of digital breadcrumbs.

Raptor Train, one such network, infected more than 200,000 devices worldwide in 2024, according to the NCSC. The FBI attributed its management to Integrity Technology Group, a Beijing-based cybersecurity firm. Oh, and they’re based in Beijing. Because nothing says “cybersecurity” like a company that’s actually a cyber threat.

The United Kingdom sanctioned the company in December 2025 for reckless cyber activity against its allies. Because, you know, that’s the kind of thing they do-wait, isn’t that their job?

Many of the compromised machines are end-of-life web cameras, video recorders, firewalls, and network storage devices. These no longer receive security patches from manufacturers. That leaves them easy targets for bulk exploitation. Because nothing says “I’m secure” like a 10-year-old camera that hasn’t been updated since the Bush administration.

Western Infrastructure Already Pre-Positioned

Volt Typhoon has used a separate covert network called the KV Botnet. The group established footholds on critical national infrastructure across the United States and allied countries. Because nothing says “I’m a threat” like targeting energy grids and government networks.

Department of Justice filings referenced in the advisory support this finding. Energy grids, transport systems, and government networks are named as active targets. Because, you know, who doesn’t want to play with the power grid?

Paul Chichester, NCSC Director of Operations, flagged a separate problem known as indicator of compromise extinction. Identifiers used to track attackers disappear almost as fast as researchers publish them. Because, of course, the bad guys are always one step ahead-just like your Netflix password.

The problem mirrors wider difficulties in tracking state-backed hacking campaigns across both critical infrastructure and financial sectors. Because nothing says “I’m a nightmare” like a hacker who’s always two steps ahead.

In recent years, we have seen a deliberate shift in cyber groups based in China utilising these networks to hide their malicious activity in an attempt to avoid accountability,” Paul Chichester, NCSC Director of Operations.

The advisory urges organisations to baseline normal network traffic and adopt dynamic threat feeds. It also recommends tracking China-linked covert networks as advanced persistent threats in their own right. Because, you know, nothing says “we’re prepared” like a bunch of technical jargon.

2024 recorded more than $2 billion in digital-asset losses from cyber activity. The coming months will test whether defenders can keep pace. The adversary has made attribution itself the first victim. Because, of course, the real crime is figuring out who did it.

2026-04-24 16:33

Botnets Built From Compromised Home Devices

Western Infrastructure Already Pre-Positioned

Read More