Somewhere around 10% of all machines connected to the Internet are thought to be infected with malicious software. This has allowed the emergence of so-called ‘botnets’– networks of sometimes millions of infected machines that are remotely controlled by malicious actors. Botnets are mostly used for criminal purposes, but they also enable large-scale failures that might even reach disastrous proportions. We explain the rise of botnets as the outcome of the incentive structures of market players and present new empirical evidence on these incentives. The resulting externalities require some form of voluntary or government-led collective action. Our findings have implications for the controversial debate on the appropriate policy measures, where two perspectives on cybersecurity fight for dominance: national security and law enforcement.