[TZubiri]

Hey.

The way it works is that these pwned IoT devices sell themselves to paying customers as proxies. So the pwners are not the ones actually running the DDoS service/Ransomware distribution/malicious activities. Rather it's an economy where each malicious actor offers their specific service.

In this case IoT device pwners pwn the device, install a VPN server and place their devices on a marketplace where they charge cents per hour using cryptocurrency. Then whoever needs an anonymous IP address pays for a couple of hours of 10k ip residential addresses, and sends their traffic wherever they need to.

So both are true: DDoSers (and malicious actors in general) use pwned devices, but they also use VPNs