Newly Discovered Botnet "Raptor" Controls 3 Million Compromised Smart Home Devices

Researchers at Lumen's Black Lotus Labs have discovered a massive botnet called "Raptor" that has compromised approximately 3 million smart home devices including IP cameras, home routers, smart speakers, and smart TVs across 120 countries. The botnet is being used for credential stuffing, DDoS attacks, and residential proxy services.

Raptor spreads through a combination of default credential exploitation, recently disclosed vulnerabilities in consumer IoT devices, and a novel worm-like propagation mechanism that scans local networks for additional vulnerable devices once a foothold is established.

The botnet's most concerning capability is its residential proxy network, which routes malicious traffic through compromised home devices to make it appear to originate from legitimate residential IP addresses. This service is sold to other cybercriminals for $0.50 per GB of proxied traffic.

Top affected device brands include TP-Link (28% of infections), Hikvision (19%), D-Link (15%), Xiaomi (12%), and Samsung SmartThings (8%). The common thread is default or weak credentials and infrequent firmware updates.

Lumen has been working with ISPs to notify affected customers and has sinkholed several of the botnet's command-and-control domains. Users can check if their devices are compromised using a free scanning tool released by Black Lotus Labs. The incident underscores the urgent need for mandatory IoT security standards.