Comment by TZubiri

Hey.

The way it works is that these pwned IoT devices sell themselves to paying customers as proxies. So the pwners are not the ones actually running the DDoS service/Ransomware distribution/malicious activities. Rather it's an economy where each malicious actor offers their specific service.

In this case IoT device pwners pwn the device, install a VPN server and place their devices on a marketplace where they charge cents per hour using cryptocurrency. Then whoever needs an anonymous IP address pays for a couple of hours of 10k ip residential addresses, and sends their traffic wherever they need to.

So both are true: DDoSers (and malicious actors in general) use pwned devices, but they also use VPNs