Buying used laptops, smartphones, routers, or smart home gadgets is increasingly coming with an unwanted extra: preinstalled malware that silently turns the device into a botnet node for DDoS attacks and other abuse. Under risk are not only traditional computers and phones, but also home routers, IP cameras, Android TV boxes, and a wide range of smart home devices — from coffee machines to robot vacuum cleaners.
Second-hand electronics as infrastructure for DDoS and IoT botnets
Security vendors report a growing number of cases where new owners of second-hand devices discover unknown software that antivirus engines classify as malware. This trend reflects not only wider threat distribution, but also a gradual improvement in basic cyber hygiene: more users install security tools, keep them updated, and run regular scans.
At the same time, modern DDoS botnets are rapidly scaling. To sustain large attack campaigns, botnet operators need vast numbers of compromised endpoints. Each infected gadget brings in fractions of a cent, so the model only becomes profitable when tens or hundreds of thousands of devices are controlled. This economic reality drives criminals to seek highly scalable infection channels, including the second-hand electronics market and poorly protected IoT ecosystems.
How malware ends up on used and even brand-new devices
Bulk-purchased hardware and custom firmware with backdoors
One frequently discussed scenario involves attackers buying large batches of low-cost devices, replacing the stock firmware with a modified build that contains a backdoor, and then reselling the hardware. In these cases, the gadget connects to a command-and-control (C2) server immediately after first power‑on. To the owner, everything looks normal: the device performs its advertised functions, while malicious activity runs in the background with minimal visible impact on performance.
Firmware supply chain attacks during manufacturing
An even more dangerous and scalable method is compromise of firmware in the supply chain, before devices ever reach the retailer. Manufacturers may outsource firmware development to third-party vendors, and this development stage is a natural point where attackers can embed malicious modules. As a result, some budget Android devices effectively join a botnet before the customer opens the box. Similar supply chain compromises have already been observed in traditional software and are now expanding into embedded and consumer electronics.
One illustrative case described by researchers is the discovery of a modified variant of the Triada malware preloaded into the firmware of counterfeit Android smartphones that imitate popular models. Within a short period in March 2025, more than 2,600 users in multiple countries reportedly encountered this strain, with the majority of victims located in Russia. Another example involves the Kimwolf and Aisuru botnets, detected on Android streaming boxes and media devices; by December 2025 these botnets were estimated to control more than 1.8 million infected endpoints.
Experts from major cybersecurity vendors note that large-scale schemes based on deliberately buying “clean” devices solely to reflash and resell them with malware still appear relatively rare. A more common pattern among dishonest resellers is to replace software in order to plant banking Trojans and steal credentials or funds, rather than to conscript devices into DDoS botnets.
Most vulnerable categories: routers, cameras, and smart appliances
The problem extends far beyond used PCs and smartphones. In practice, network and IoT devices are often the weakest link: consumer routers, IP cameras, media boxes, NAS storage, and smart household appliances are regularly found exposed online with default settings.
Common root causes include limited attention to security in product design, use of outdated software components, absence of regular firmware patches, hardcoded or weak default passwords, and no requirement to change credentials on first use. Historic incidents such as the Mirai botnet — which exploited default credentials on routers and cameras — demonstrated how quickly such devices can be weaponized for massive DDoS attacks.
Devices that no longer receive updates pose a particular risk. They remain connected to the internet for years with publicly known vulnerabilities and are easily harvested into botnets. In many cases, infection has little visible impact: the owner continues to use the router, camera, or robot vacuum as usual, unaware that the device is being used to attack external services.
How to secure used devices and smart home infrastructure
Cyber hygiene for second-hand laptops and smartphones
Security specialists recommend treating every second-hand device as potentially compromised. When purchasing a used laptop or desktop PC, the very first step should be a full reinstall of the operating system from official installation media, including wiping all disk partitions. For smartphones, a factory reset is the minimum; ideally, users should apply all available OS updates and install apps exclusively from official app stores.
Before connecting a used device to a home network, it should be scanned with a reputable antivirus or endpoint security solution using updated signatures. If any malware is detected, the safest course of action is to fully format storage, flash official firmware where applicable, and only then proceed with OS and application installation.
Secure configuration for routers, cameras, and smart home devices
For routers, IP cameras, and smart home appliances, several baseline measures significantly reduce risk. Users should immediately change default login and password values, disable unnecessary remote access services and UPnP, and regularly check for and install firmware updates from the vendor. Where possible, automatic update mechanisms should be enabled.
A strong additional control is network segmentation: placing IoT and guest devices into a separate Wi‑Fi or VLAN segment, isolated from primary workstations and personal smartphones. This limits the blast radius if an IoT device is compromised and helps prevent lateral movement inside the home network.
Connecting ultra-cheap, unbranded devices to the internet, especially when firmware is never updated, introduces disproportionate risk. In some situations, it is more secure to block internet access for such hardware entirely or operate it within a tightly isolated network segment.
Responsible purchasing decisions, basic cyber hygiene, and careful configuration of IoT devices can dramatically reduce the chances that home electronics are conscripted into criminal infrastructure. A practical rule of thumb is simple: treat every new or used device as untrusted until it has been checked, updated, and securely configured. As this mindset becomes standard for everyday users, it will become significantly harder for attackers to assemble large-scale botnets from our household technology.
