When surfing the web, browsers download and execute arbitrary JavaScript code they receive from websites they visit. What if high-traffic websites served obfuscated code that secretly borrowed clock cycles from their client's web browser as a means of distributed computing? In this talk I will present research on the topic of using web browsers as zero-configuration, trojan-less botnets. The presentation will include a brief history of botnets, followed by an overview of techniques to build and deploy command-and-control botnet clients that run in-browser using web workers, WebTorrent, WebAssembly, and WebGL GPGPU. I will present exhaustive research that simulates the potential compute power of such a botnet using publicly available user-agent statistics and web traffic analytics from popular websites. What if Facebook or Google ran unnoticeably small "jobs" on your browser whenever you visited their websites? How much "free" compute could be leveraged from 2 billion users annually? With the rise of distributed computing, such a technique could be exploited to train or run machine learning models, mine a blockchain, or DDoS target servers. In this talk we will explore the idea that the design and function of the web browser presents an opportunity for inherent exploitation. We will discuss both the ethical and nefarious use of such browser-based botnets; How they may be used in the wild and what unique affordances such a technique presents. The preparation and original research for this talk will be extensive as very little information on the subject currently exists. The talk will feature a live demo that includes conference attendees and will be followed by an open discussion into the applications and implications of deploying browser-based botnets.