// 23:47 — WEDNESDAY
SsSnake pings me. Link. One line: "look at this and tell me I'm not crazy." It's late, which is irrelevant to me because late is when I work, late is the only time the internet breathes properly, daytime internet is just noise shaped like data and I can't hear anything through it. I click the link.
He's not crazy.
C2 server. Residential IP, Eastern Europe. The kind of IP that should be someone's smart refrigerator phoning home about yogurt expiration, except this one is orchestrating what I'm already guessing is — wait. Pull the DNS TXT records. Pull them again. There it is. Commands encoded in TXT record values, bots polling every sixty seconds like dutiful little soldiers who have no idea they've been drafted. DNS tunneling. Not elegant, not original, but executed cleanly. Someone did their homework. That's actually — hm. Respect the craft even when you're going to burn it down.
"How long to map it?" SsSnake asks.
"Few hours."
I believed that when I said it.
// 05:30 — THURSDAY
340,000 devices. I keep rerunning the count because the number feels like a typo. It is not a typo. IoT cameras. Routers. NAS boxes. Smart TVs, which — okay, there is something deeply funny about a smart TV being conscripted into a botnet. Somewhere a guy is watching Netflix and his television is simultaneously participating in distributed attacks on infrastructure. The TV has two jobs. The TV is a harder worker than most people I know.
47 countries. I've got a map up. The dots are everywhere. I should eat something. There's a granola bar somewhere on this desk. The desk is a crime scene of empty cans and printed hex dumps and I can see part of a granola bar wrapper near the second monitor but reaching for it requires moving and moving means breaking concentration and —
Okay, four registrars. Bulletproof host. I've seen this BPH before. Three other operations over the past two years, different tooling each time but the same fingerprints, same AS path, same lazy TTL values. You're an old friend. An old enemy. Same thing at this point.
// 11:15 — THURSDAY
Found the staging server. This is good. This is very good. They're testing new payloads here before pushing to the fleet and they didn't — they just left it. Accessible. One auth bypass, embarrassingly simple, the kind of thing that a junior dev would get roasted for in a code review. Pulled three samples. The malware is a DDoS-for-hire toolkit. There's a web panel. The web panel has a backend and the backend has —
Debug logging. Live. Three months of it.
I'm reading the command history now. Seventeen paid attacks. Schools. A small accounting firm. A regional news website. And then — a children's hospital. Their public-facing site. Some piece of shit paid money, actual money, to knock a children's hospital website offline. The donations page. The volunteer sign-up page. The "find a specialist" page that parents use when they don't know what's wrong with their kid and they're scared.
Something focuses. Something gets very quiet and very clear. This is the kind of clarity that isn't pleasant. It's more like a narrowing.
I haven't slept. I am currently on my third Monster (green, the original, the correct one — the blue ones taste like chemicals and sadness and I know that sounds ironic coming from someone who drinks the green ones but there is a taxonomy here and I stand by it) and I have not eaten the granola bar. None of this matters.
// 05:03 — FRIDAY
Made a mistake. Variable name collision in the collection script — sent a malformed request to the C2's API endpoint instead of my own logging server. Rate limiter triggered. Exit node blacklisted.
Had to rotate the entire proxy chain.
Which meant waking up Ph4ntom.
Ph4ntom does not enjoy being woken up. Not because he's grumpy about it, exactly. It's more that Ph4ntom operates on a different plane of reality where time is a loose suggestion and sleep is a mode he enters deliberately, and yanking him out of it feels like unplugging a server mid-write. He answered on the second ping. Didn't say anything for thirty seconds. Then: new exit nodes, new chain, tested and confirmed, already clean. Twenty minutes total. Then he was gone. Back to wherever Ph4ntom goes.
I sometimes think Ph4ntom is less a person and more a protocol. Request. Response. Acknowledgment. No handshaking. No small talk. It's beautiful, actually. I should tell him that sometime. I won't, because that's not how we communicate, but I should.
// 18:20 — FRIDAY
I've been awake for approximately 42 hours and something is wrong with the traffic patterns. There's a rhythm in the packet timing that I haven't documented. It looks deliberate. Could be a secondary command channel — timing-based covert channel, not unheard of, there's a whole body of literature on — wait. Wait. Run the retransmission analysis.
It's TCP retransmissions. Normal ones. On a congested segment. That's just. That's just how TCP fucking works.
I spent thirty-one minutes convinced I'd discovered a new evasion technique. It was regular-ass packet loss.
Probably time to sleep. Won't, though. Have everything except the operator attribution and I can feel it, it's right there, there's a thread I haven't pulled —
// 23:55 — FRIDAY
There it is.
Bulletproof host connects to a payment processor. Payment processor connects to an email. Email is also the registration contact for a domain. Domain belongs to a freelance web design business. Portfolio site. Built in WordPress. He's building websites by day. Clean, professional little portfolio, client testimonials, rates on request. By night he's a DDoS-for-hire operator. He knocked a children's hospital off the internet and then went to sleep and woke up and made someone's dental office a website.
Three critical vulnerabilities in his portfolio site. Identified in under ten seconds, not because I'm showing off, just because that's what WordPress installs that haven't been updated since 2023 look like. I didn't touch them. Not the point. But I looked at them for a while.
// 06:40 — SATURDAY
Writing the report. The full infrastructure map is done — four registrars, one BPH, seventeen targets, three months of operator logs, two staging servers, the payment processor trail, the domain registration, the portfolio. It's all here. SsSnake is reading over my shoulder. Or he would be if he were here. He's on a call somewhere. I can hear him in the other room not-quite-yelling at someone in a way that means things are happening.
I just typed "infrastruckture" for the fourth time. The spell-check is highlighting it in red. Very cheerful red. The red of a system that is trying to help me and does not understand that I am beyond help right now, I am operating on pure spite and the memory of nutrients.
SsSnake walked in, read the last section, said "go to sleep."
Told him I was fine.
// [TIMESTAMP UNKNOWN — STILL SATURDAY MAYBE]
There is a "j" key. It is a perfectly good key. It is the tenth most common letter in English. It does not deserve what I did to it. My face was on the keyboard for eleven hours and I have no memory of this but the terminal window is open and there are approximately four thousand j's in it and my neck has filed a formal grievance with the rest of my body.
The chair. The chair has a me-shaped depression in it now. Like a fossil. This is the chair's problem.
// 14:30 — SUNDAY (I think)
Checked the C2. Offline. Sinkholed. The botnet is dark. The 340,000 devices are just things again — cameras and routers and televisions that have been demobilized, decommissioned, returned to their original purpose of watching you sleep and reporting your habits to slightly less criminal corporations.
VexNull told me staying awake for seventy-two hours isn't something to be proud of. She said it with the specific tone she uses when she's right and she knows it and she also knows I know it. She's not wrong. My spine agrees with her. My keyboard agrees with her. The granola bar, which I eventually found and which was stale, agrees with her.
But the children's hospital's donation page loaded this morning. I checked. It loaded in under two seconds. There was a photo of a kid in a paper crown sitting in a hospital bed giving a thumbs up.
My neck still hurts. Still worth it.
— n1ghtsh1ft, 2026