In a startling revelation shaking the cybersecurity world, a menacing new botnet dubbed Eleven11bot has emerged, infecting over 86,000 Internet of Things (IoT) devices to orchestrate devastating Distributed Denial-of-Service (DDoS) attacks. This rapidly growing threat has set its sights on critical infrastructure across the United States, United Kingdom, Mexico, Canada, and Australia. With security cameras and network video recorders (NVRs) as its primary pawns, Eleven11bot is proving to be one of the most formidable botnets seen in recent years. Here’s everything you need to know about this escalating cyber menace.
A Global Cyber Threat Emerges
Cybersecurity researchers from Nokia Deepfield Emergency Response Team first sounded the alarm about Eleven11bot, initially estimating its reach at over 30,000 devices. However, updated scans by the Shadowserver Foundation, reported just yesterday, reveal a staggering 86,400 compromised IoT devices as of March 4, 2025. This botnet’s explosive growth—nearly tripling in size within days—highlights its aggressive spread and the vulnerability of unsecured IoT ecosystems. The United States bears the brunt with nearly 25,000 infected devices, followed by the UK with 10,700, Mexico with 10,000, Canada with 4,000, and Australia with 3,100. These numbers underscore a widespread, coordinated assault targeting key nations.
Eleven11bot’s weapon of choice? DDoS attacks that flood networks with traffic, rendering services inaccessible. Researchers note that this botnet has already launched hundreds of attacks, some peaking at an unprecedented 6.5 terabits per second (Tbps)—a record-breaking bandwidth for non-state actor botnets. From telecom providers to gaming platforms, no sector seems immune to its disruptive power.
How Eleven11bot Infiltrates and Operates
What sets Eleven11bot apart is its cunning exploitation of IoT vulnerabilities. The botnet preys on devices like security cameras and NVRs, often secured with weak or default passwords. Using brute-force tactics, it scans for exposed SSH and Telnet ports, rapidly ensnaring unprotected hardware. Once inside, Eleven11bot deploys its malware, transforming these everyday devices into obedient bots ready to execute DDoS commands. GreyNoise researchers tracking the botnet identified over 1,000 IP addresses actively hitting their honeypots, with 61% traced to Iran—though attribution remains speculative amid geopolitical tensions following recent U.S. sanctions.
The botnet’s technical sophistication is equally alarming. It employs a multi-pronged infection strategy, leveraging hardcoded credentials in specific camera brands and conducting relentless network scans. Nokia’s Jerome Meyer emphasized its scale, calling it “one of the largest known DDoS botnet campaigns” since Russia’s invasion of Ukraine in 2022. This isn’t just a numbers game—Eleven11bot’s sustained attacks, some lasting days, have caused significant disruptions, threatening communications and online services worldwide.
Why This Matters Now
The timing of Eleven11bot’s rise isn’t coincidental. As IoT adoption surges globally, so does the attack surface for cybercriminals. Security cameras and NVRs, often overlooked in cybersecurity protocols, are low-hanging fruit for botnets like this one. The U.S. and its allies, already navigating a tense cyber landscape, now face a tangible threat to their digital infrastructure.
This botnet’s emergence also coincides with a broader wave of DDoS activity. Experts warn that unprotected IoT devices could fuel even larger attacks, potentially overwhelming unprepared organizations. With up to 150,000 devices estimated to be vulnerable, according to Nokia Deepfield, the stakes couldn’t be higher.
Protecting Against the Eleven11bot Onslaught
So, what can be done? Cybersecurity pros are sounding the alarm: organizations and individuals must act fast. Replace default passwords, apply firmware updates, and restrict remote access to IoT devices—these are non-negotiable steps to thwart Eleven11bot’s spread. On the network level, activating DDoS defenses and rate-limiting measures can mitigate the impact of these high-intensity attacks. For Security Operations Centers (SOCs), tracking live botnet activity via IP analysis is critical to preempting strikes.
This isn’t just a technical battle—it’s a wake-up call. The Eleven11bot botnet exposes the fragility of our connected world. As it continues to grow, the cybersecurity community must rally to decode its tactics and fortify defenses. For now, the U.S., UK, Mexico, Canada, and Australia stand on the frontline of this digital war, but the ripple effects could reach us all.