Aisuru Botnet Shifts from DDoS Attacks to Residential Proxies | Cybersecurity & AI Scraping

The cybercrime landscape is constantly evolving, with threat actors adapting their tactics to maximize profit and evade detection. One of the most striking examples of this shift is the Aisuru botnet, which first gained notoriety in 2024 for launching record-breaking distributed denial-of-service (DDoS) attacks. Today, Aisuru has pivoted from brute-force disruption to stealthy monetization, transforming compromised Internet of Things (IoT) devices into residential proxies. This evolution not only underscores the adaptability of modern botnets but also highlights the growing role of proxy networks in cybercrime, ad fraud, and large-scale AI data scraping.

The Rise of Aisuru  

• Discovered in August 2024, Aisuru infected more than 700,000 IoT devices, including routers and security cameras.  
• It quickly became infamous for DDoS attacks peaking at 30 Tbps, overwhelming ISPs and even challenging Google’s defenses.  
• These attacks demonstrated the destructive potential of IoT-based botnets, which exploit weak security in everyday devices.  

From DDoS to Residential Proxies

• Instead of continuing with high-profile DDoS campaigns, Aisuru’s operators repurposed their botnet into a residential proxy network.  
• Residential proxies disguise malicious traffic as if it originates from ordinary home users, making detection far more difficult.  
      Such proxies are widely abused for:  
    - Ad fraud (inflating clicks and impressions)  
    - Credential stuffing (testing stolen passwords)  
    - Content scraping (harvesting restricted or login-protected data)  

Proxy Market Explosion  

• Proxy tracking firm Spur.us reported 250 million unique residential proxy IPs in just 90 days, signaling unprecedented growth. 
• Major players include Bright Data (formerly Luminati), Oxylabs, and IPidea, the latter operating under the HK Network umbrella with multiple proxy brands.  
• These providers aggressively resell bandwidth, often without transparent user consent, fueling a shadow economy of proxy services.  

AI Data Scraping Connection  

• Residential proxies are increasingly exploited to feed large language models (LLMs) by scraping restricted content at scale.  
• Some open-source projects have reported 97% of traffic from AI bots, overwhelming infrastructure and destabilizing services.  
• Companies like Cloudflare are experimenting with “pay-per-crawl” models to monetize AI scraping, while Reddit has sued Oxylabs for enabling mass data harvesting.  

Other Botnets in the Ecosystem  

• Aisuru is not alone. Badbox 2.0 compromised over 10 million uncertified Android devices, using them for ad fraud and proxy services.  
• Many proxy networks rely on SDKs bundled into mobile apps, silently turning user devices into proxy nodes without informed consent.  

Key Takeaways 

• Botnets are evolving: Aisuru’s shift from destructive DDoS attacks to stealthy residential proxy monetization reflects a broader trend in cybercrime.  
• Residential proxies are central: They now underpin ad fraud, credential stuffing, and AI-driven scraping operations.  
• Legal and regulatory pressure is mounting: Lawsuits, sanctions, and ISP crackdowns are targeting proxy providers and botnet operators.  

Conclusion  

The Aisuru botnet’s transformation from a DDoS powerhouse into a residential proxy network illustrates the adaptability of cybercriminal infrastructure. As AI-driven data scraping and proxy abuse expand, organizations must strengthen defenses against stealthy traffic patterns, while regulators confront opaque proxy practices. The fight against botnets is no longer just about stopping attacks—it’s about dismantling the hidden economies that sustain them.