AI turns botnets into powerful tools against Cypriot firms

Artificial intelligence is rapidly transforming the global cyber threat landscape, with Cyprus now facing mounting risks from AI-powered DDoS attacks, according to cybersecurity company Qrator Labs’ latest quarterly report.

The firm’s Q3 2025 DDoS Intelligence Report revealed that AI tools have become a driving force behind the expansion of massive botnets capable of launching highly automated attacks at unprecedented scale.

Qrator Labs said it has been tracking a botnet of 5.76 million infected devices over the past six months, with most compromised systems located in Brazil, Vietnam, the United States, India, and Argentina.

The company explained that AI enables attackers to find and capture vulnerable devices far more efficiently than before, allowing them to build enormous networks of compromised machines that can be directed toward coordinated attacks on businesses, governments, and critical infrastructure.

“The sheer number of vulnerable devices is nothing new — we’ve seen this before in previous years,” said Andrey Leskin, Chief Technology Officer at Qrator Labs.

“What has changed in 2025 is that attackers can now find and capture them much faster and more efficiently, thanks to AI,” he added. To put it in perspective, last year, the largest DDoS botnet we recorded included around 227,000 devices. As you can see, using AI tools, attackers have increased the scale by about 25 times in just one year.”

The company reported that in the third quarter, FinTech accounted for 26.1 per cent of all DDoS attacks, followed by E-commerce with 22.0 per cent, Media with 15.8 per cent, and Information and communication technology with 14.5 per cent.

The most powerful L3-L4 DDoS attack of the quarter targeted an E-commerce firm, reaching 1.15 Tbps, surpassing the 2024 peak of 1.14 Tbps. The longest bad bot attack lasted 14 hours and 33 minutes and also targeted the E-commerce sector.

Among smaller industry groups, Media, TV, radio and bloggers accounted for 14.1 per cent of all attacks, followed by Payment systems with 13.9 per cent and Food retail with 13.0 per cent.

Qrator Labs’ data further indicated that Brazil has overtaken Russia and the United States as the largest source of application-layer (L7) DDoS attacks, accounting for 19 per cent of all malicious traffic in the third quarter.

Vietnam, meanwhile, climbed from 15th to fourth place globally within a year, reflecting a broader shift toward emerging markets as major contributors to the global DDoS infrastructure.

Leskin said the expansion of DDoS activity in developing regions stems from two main factors: rapid digitalisation that increases the number of Internet-connected devices, and the widespread accessibility of AI-driven attack tools.

What is more, he warned that the implications for Cyprus are particularly serious, given the island’s growing tech ecosystem.

“Cyprus is home to a growing number of innovative technology companies,” he said. “These firms need to pay close attention to emerging cyberthreats, including AI-driven DDoS attacks.”

Many Cypriot tech companies operate in intensely competitive markets, and some aim to disrupt them, so they must be ready for resistance from existing market players, including tactics that sometimes cross legal boundaries,” Leskin added. These risks should be taken seriously.”

He explained that many of these companies rely heavily on AI computations internally, often through platforms such as ChatGPT or proprietary machine learning models, which creates new vulnerabilities at the application level.

“Such computations are extremely resource intensive — a single request to an AI service costs significantly more than a typical database transaction,” he said. “This creates a new attack surface at the application level. If attackers leverage large IoT botnets to send malicious AI-level requests, the target system is still forced to process them.”

Furthermore, Leskin warned that even cloud-based infrastructures can suffer financial damage during such attacks, since companies are billed for the processing of malicious traffic even if their systems remain online.

“Even if the infrastructure is deployed in the cloud with potentially limitless resources and does not go offline under load, the company will still receive a substantial resource consumption bill afterward,” he said.

“For a young technology business without strong revenue or a financial safety cushion, the consequences of such attacks can be highly damaging, potentially affecting the company’s growth, stability, and future on the market,” he added.

He also pointed to recent service disruptions in Cyprus as evidence that both public and private systems remain vulnerable.

“Cyprus has already experienced repeated service disruptions affecting government and municipal online platforms in recent years,” he said.

“This highlights that services used by citizens also require modern protection,” he continued. “One well-known example was last year’s prolonged disruption of the national online tax filing service.”

He pointed out that “the filing deadline, originally set for the end of July, had to be repeatedly postponed until late November due to months of limited availability and technical instability”.

Leskin explained that at the height of the disruption, authorities took the controversial step of blocking access to the service from abroad, which left many Cypriots living in other EU countries unable to file their tax returns.

“The situation became so severe that, in September, access to the service from abroad was completely blocked as a security measure,” he said.

“This decision was questionable, considering that many Cypriots who needed to submit declarations were outside the country — in Greece or elsewhere in the EU,” he added. “The disruption demonstrated that a significant part of the national digital infrastructure was not prepared to withstand sustained pressure.”

Leskin further stated that Cyprus must act proactively to ensure that its digital economy remains resilient in the face of fast-evolving cyber threats.

“In short, Cyprus has already faced availability issues caused by cyberattacks, including DDoS,” he said.

“These disruptions were eventually resolved in one way or another, and the affected services were restored,” he mentioned.

“However, it must be taken into account that the threat landscape continues to evolve. What was considered adequate protection two or three years ago — or even a year ago — may already be insufficient today,” Leskin explained.

“This is why both commercial organisations and public institutions in Cyprus should regularly reassess their understanding of current threats and update their defensive capabilities accordingly,” he concluded.