← BACK TO BLOG
Mirai botnet IoT security
BLOG // THREAT ANALYSIS

Mirai Botnet: How It Hijacked IoT Devices — and How to Stop It

UPDATED JULY 2026 • BY EDGEDEFENSEAI

The Mirai botnet is the most infamous piece of IoT malware ever written. In 2016 it turned hundreds of thousands of ordinary cameras, routers, and DVRs into a weapon that took down a huge chunk of the internet. Years later, Mirai and its descendants are still active — and they still work the same way, because the underlying weakness in IoT devices never went away. Here's how Mirai works, why it mattered, and how to stop your own devices from being recruited.

What Is the Mirai Botnet?

Mirai is malware that infects Internet of Things (IoT) devices — primarily Linux-based cameras, routers, and DVRs — and enslaves them into a "botnet," a network of hijacked machines an attacker controls remotely. Once a device is infected, it quietly awaits commands and can be pointed at any target to launch a massive distributed denial-of-service (DDoS) attack. The name means "future" in Japanese, and its source code was publicly released in 2016, spawning countless copycats.

The 2016 Attacks That Broke the Internet

Mirai announced itself with a series of record-breaking attacks. It hit security journalist Brian Krebs's site with a then-unprecedented flood of traffic, struck French host OVH, and — most famously — took down DNS provider Dyn in October 2016. The Dyn attack knocked Twitter, Netflix, Reddit, GitHub, and Spotify offline across much of the US and Europe. What made it shocking wasn't sophistication; it was that the firepower came from cheap consumer gadgets nobody thought of as computers.

How Mirai Works

Mirai's method is brutally simple, which is exactly why it's so effective:

  • Scan: Infected devices constantly scan the internet for other IoT devices with open Telnet/SSH ports.
  • Brute-force: It tries a short list of ~60 default and common username/password pairs (admin/admin, root/12345, and so on).
  • Infect: When a default credential works, Mirai loads its malware onto the device and adds it to the swarm.
  • Report & wait: The device beacons to a command-and-control (C2) server and waits for orders.
  • Attack: On command, the whole botnet floods a target with traffic simultaneously.

Because it relies on unchanged default passwords, Mirai doesn't need software exploits or zero-days — the front door is simply unlocked.

Why Mirai Still Matters in 2026

Mirai never really died. Its leaked source code produced a family of variants — Okiru, Satori, Masuta, Mozi, and others — that continue to target the ever-growing pool of insecure IoT devices. With 40+ billion connected devices expected by 2030, most still shipping with weak defaults and rare updates, the attack surface Mirai feeds on is bigger than ever. If anything, the problem has scaled with the industry.

How to Protect Your Devices From Mirai

  • Change every default password — this alone defeats classic Mirai.
  • Disable Telnet and unused remote access on every device.
  • Segment IoT devices onto their own VLAN so an infection can't spread.
  • Keep firmware updated and retire devices that no longer get patches.
  • Monitor network behavior — the surest sign of infection is the traffic itself.

For the full checklist, see our guide on securing your smart home network.

How EdgeDefenseAI Detects Botnet Activity

Even a fully patched network can host a compromised device — and the only reliable tell is behavior. A Mirai-infected device scans for other victims, beacons to a C2 server, and joins DDoS floods, all of which look nothing like its normal traffic. EdgeDefenseAI baselines each device with on-device AI and flags exactly these deviations — port scanning, C2 beaconing, and abnormal outbound floods — in real time, then lets you quarantine the device in one click. It all runs locally, with no data leaving your network. Learn more in our IoT device security guide, our IoT security solutions, or how to detect a hacked IoT device.

Protect Your Devices From Botnets