Rather than deploying standalone malware, threat actors are operating with the precision of a logistics firm to industrialize cybercrime according to a new report from Lumen. They use generative AI to rotate IP addresses and domain names faster than manual defenders can track, and they utilize ‘rentable identities’ through compromised home routers to blend into everyday residential traffic.
This highly professionalized ‘heist crew’ model allows attackers to remain invisible in the ‘staging grounds’ of the network, ensuring that by the time they interact with a target, the path of least resistance has already been cleared.
The research, by Lumen’s threat research and operations arm Black Lotus Labs, finds that as endpoint detection and response (EDR) has matured, attackers have pivoted to internet-exposed edge devices — routers, VPN gateways and firewalls. These assets offer privileged access, limited forensic capabilities, and typically operate outside traditional endpoint security visibility.
Criminal and nation-state crews are also industrializing proxy networks using compromised small office/home office (SOHO) devices. By hijacking these ‘rentable identities,’ attackers can blend into legitimate residential traffic to bypass Zero Trust and geolocation controls. Elite espionage campaigns are increasingly built on ‘stolen staging,’ where nation-state actors hijack criminal infrastructure to hide their fingerprints behind noisy, common criminal activity.
“As attackers shift toward internet‑exposed edge infrastructure, defenders are losing visibility at a critical stage of an attack,” says Nat Habtesion, SVP and chief security officer at Lumen. “By seeing attacker infrastructure as it forms at the network layer, Lumen and our Black Lotus Labs team can identify threat actors’ activities early, disrupt campaigns in motion, and reduce the operational burden on security teams before damage is done.”
The report also looks at some high profile examples of the new era. These include Kimwolf, a massive DDoS botnet that scaled to hundreds of thousands of bots in weeks by exploiting residential proxy ecosystems. Lumen observed Kimwolf triple its bot count in just one week and launch attacks reaching 30 terabits per second (Tbps).
There’s Raptor Train too, a nation-state botnet that utilized an enterprise-grade control center to manage over 200,000 compromised Internet of Things (IoT) devices.
“Threat intelligence is needed to find the adversary as early as possible and as close to the point of origination as possible,” says Chris Kissel, IDC vice-president, security and trust. “Lumen’s massive infrastructure and the quality of Black Lotus Labs provides optimal visibility of the IP backbone greatly reducing the odds of successful cyber-attack campaigns.”
The full 2026 Lumen Defender Threatscape Report is available for download now.
Image credit: Jakub Jirsak/Dreamstime.com
