UPDATED JULY 2026 • BY EDGEDEFENSEAI
The Mirai botnet is the most infamous piece of IoT malware ever written. In 2016 it turned hundreds of thousands of ordinary cameras, routers, and DVRs into a weapon that took down a huge chunk of the internet. Years later, Mirai and its descendants are still active — and they still work the same way, because the underlying weakness in IoT devices never went away. Here's how Mirai works, why it mattered, and how to stop your own devices from being recruited.
Mirai is malware that infects Internet of Things (IoT) devices — primarily Linux-based cameras, routers, and DVRs — and enslaves them into a "botnet," a network of hijacked machines an attacker controls remotely. Once a device is infected, it quietly awaits commands and can be pointed at any target to launch a massive distributed denial-of-service (DDoS) attack. The name means "future" in Japanese, and its source code was publicly released in 2016, spawning countless copycats.
Mirai announced itself with a series of record-breaking attacks. It hit security journalist Brian Krebs's site with a then-unprecedented flood of traffic, struck French host OVH, and — most famously — took down DNS provider Dyn in October 2016. The Dyn attack knocked Twitter, Netflix, Reddit, GitHub, and Spotify offline across much of the US and Europe. What made it shocking wasn't sophistication; it was that the firepower came from cheap consumer gadgets nobody thought of as computers.
Mirai's method is brutally simple, which is exactly why it's so effective:
Because it relies on unchanged default passwords, Mirai doesn't need software exploits or zero-days — the front door is simply unlocked.
Mirai never really died. Its leaked source code produced a family of variants — Okiru, Satori, Masuta, Mozi, and others — that continue to target the ever-growing pool of insecure IoT devices. With 40+ billion connected devices expected by 2030, most still shipping with weak defaults and rare updates, the attack surface Mirai feeds on is bigger than ever. If anything, the problem has scaled with the industry.
For the full checklist, see our guide on securing your smart home network.
Even a fully patched network can host a compromised device — and the only reliable tell is behavior. A Mirai-infected device scans for other victims, beacons to a C2 server, and joins DDoS floods, all of which look nothing like its normal traffic. EdgeDefenseAI baselines each device with on-device AI and flags exactly these deviations — port scanning, C2 beaconing, and abnormal outbound floods — in real time, then lets you quarantine the device in one click. It all runs locally, with no data leaving your network. Learn more in our IoT device security guide, our IoT security solutions, or how to detect a hacked IoT device.
Protect Your Devices From Botnets