On January 14th, 2026, something strange happened on the internet. Telnet traffic—the ancient, insecure protocol that hasn't been recommended for anything in decades—dropped by 65% in a single hour.
This wasn't a gradual decline. It was a cliff. And nobody has publicly explained why.
What GreyNoise Observed
GreyNoise, a company that monitors internet-wide scanning and attack traffic, tracks telnet connections across the global internet. For months, they observed a baseline of approximately 914,000 non-spoofable telnet sessions per day—about 51 million sessions total between December 1, 2025 and January 14, 2026.
Then, in a single hour, that traffic collapsed. The scanners went quiet. The botnets stopped calling. Telnet—after decades of being the internet's persistent background noise—fell silent.
As of GreyNoise's reporting, no law enforcement agency or security firm had publicly claimed credit for a takedown operation that could explain it.
Why Anyone Still Uses Telnet
To understand why this matters, you need to understand what telnet is and why it still exists.
Telnet is a protocol from 1969. It lets you remotely access another computer's command line—transmitting everything, including your password, in plain text that anyone on the network can read. SSH replaced it for legitimate purposes decades ago.
But telnet never died. It persisted in places where security wasn't a priority or updates weren't possible:
Legacy industrial systems. Factory equipment, SCADA systems, and embedded devices installed before security was a concern often only speak telnet. Replacing them costs money and causes downtime.
IoT devices. Cheap cameras, routers, and smart devices are often built with minimal firmware that includes telnet for debugging. Manufacturers don't always remove it before shipping.
Old infrastructure. Network equipment, mainframes, and systems from organizations that don't prioritize updates sometimes still accept telnet connections.
For attackers, telnet is a gift. Default credentials are well-documented. The protocol has no encryption to bypass. A single scan can find thousands of vulnerable devices in hours.
The Botnet Connection
Most telnet traffic isn't legitimate remote administration. It's botnets scanning for vulnerable devices to recruit.
The Mirai botnet and its descendants built empires by scanning the internet for devices accepting telnet connections, trying default passwords, and installing malware on anything that worked. These compromised devices then join the botnet, scanning for more victims and participating in attacks.
When GreyNoise sees 914,000 telnet sessions daily, they're mostly seeing this: An endless cycle of compromised devices searching for more devices to compromise.
So when that traffic drops 65% in an hour, one of two things happened: Either something huge got taken down, or something huge got turned off.
The Mystery
This is where the story gets interesting. Significant botnet takedowns are usually announced. Law enforcement agencies hold press conferences. Security firms publish detailed reports. The organizations involved want credit for the disruption.
But as of the last reports, nobody has claimed this one.
Several possibilities exist:
A quiet takedown. Sometimes law enforcement coordinates globally and keeps it quiet for operational reasons—maybe they're still rolling up related infrastructure or pursuing arrests. The announcement comes later.
Infrastructure failure. A major botnet could have experienced its own technical failure. Command and control servers crash. Hosting gets pulled. Things break. This would be temporary, but the timing would have to be spectacular.
Operator decision. A botnet operator could have decided to go quiet voluntarily—perhaps because they detected surveillance, or because they're pivoting to something else, or for reasons we'll never know.
Something we don't understand yet. The internet is vast and weird. Events that look significant sometimes have mundane explanations, and events that look mundane sometimes mask significant changes.
What This Means for Founders
You probably don't have telnet enabled on anything. But the story has lessons beyond the specific protocol:
Legacy protocols are liability. Telnet exists in 2026 because of technical debt—systems that were never updated, devices that were installed and forgotten, infrastructure where "working" was good enough. Every organization has equivalents. Protocols that shouldn't be exposed. Services that shouldn't be running. Attack surface that exists because nobody got around to cleaning it up.
Visibility matters. GreyNoise can tell this story because they instrument the internet and track what they see. Most organizations have no equivalent visibility into what's happening on their own networks. If 65% of your suspicious traffic disappeared tomorrow, would you notice?
The internet's background radiation is hostile. Those 914,000 daily telnet sessions aren't targeting anyone specifically. They're scanning everything, all the time, looking for whatever they can find. Your infrastructure exists in this environment whether you think about it or not.
Mysterious events happen. We may never know exactly what caused the telnet cliff. The internet is too large and too distributed for complete visibility. Understanding your own infrastructure is hard enough; understanding the internet as a whole is impossible.
Practical Implications
If you're running a startup, some practical takeaways:
Audit your external attack surface. Tools exist to scan your own infrastructure the way attackers do. Run them. See what's exposed that shouldn't be. Fix it before someone else finds it.
Disable legacy protocols. If something on your network speaks telnet, FTP, or other unencrypted protocols, ask why. The answer is rarely good enough to justify the risk.
Monitor unusual activity—including unusual inactivity. Security monitoring usually looks for spikes: More traffic, more failed logins, more alerts. But sudden drops can be equally significant. They might mean a botnet moved on, or they might mean something changed on your network in ways you should understand.
Assume the baseline is hostile. The internet isn't a neutral environment. It's an actively hostile space where automated systems probe every exposed surface constantly. Design your infrastructure accordingly.
The Bigger Picture
The telnet traffic drop is a reminder that the internet has layers we don't usually see. Below the websites and APIs and applications, there's a substrate of scanning, probing, and automated attack traffic that flows constantly.
Sometimes that substrate shifts dramatically, and we don't know why. A major botnet dies. A new one emerges. Law enforcement executes an operation. An attacker changes tactics.
Most of us experience the internet through browsers and apps. But under the surface, a different internet exists—older, stranger, and more dangerous. Telnet is a protocol from before the web existed, and it's still out there, still being exploited, still part of the constant background hum of internet hostility.
Until January 14th, when something changed, and the hum got quieter. At least for now.
The Bottom Line
A 65% drop in global telnet traffic is significant enough to notice and mysterious enough to not yet explain. Whether it was a successful takedown, a technical failure, or something else entirely, it illustrates something important: The internet is not just the products we build on it. It's an ecosystem, and that ecosystem has dynamics we don't control and often don't understand.
For founders, the lesson isn't about telnet specifically. It's about operating in an environment where strange things happen at scale, hostile actors are always present, and the infrastructure we depend on has layers we never see until something goes wrong—or, in this case, mysteriously goes right.
