[als0]

Many consumer IoT devices are just small microcontrollers that don't run Linux. Usually just a small embedded application in an RTOS, without much security at all.

For powerful application processors like your TV, smartphone, router...there's plenty of rich data to exfiltrate and resources to abuse.

For a microcontroller, you're either interested in controlling it remotely or stealing some secret from it e.g. WLAN password or a cloud access credential. Anything else is quite hard and has diminishing returns. However, in great numbers they can provide a significant DDoS capability.

[unnouinceput]

When power is paid by somebody else and you benefit the hash power, regardless of how low it is in one unit, once you have million of unit you can create your own bitcoin pool and strike gold. I bet mining is way more profitable than DDoS.

[ClumsyPilot]

"Usually just a small embedded application in an RTOS, without much security at all."

In security, that's probably a strength, not a weakness, if done right. There are less lines of code that might contain vulnerabilities. There is no random side service, JS library or OS vulnerability to attack, there might be nothing to listen for incoming connections, etc.