This and taking control of botnet control panels are the most common methods.
Something that also often happens is that your home connection has been used in some sort of attack or your IP is found in some other logs and your ISP gets contacted, often even automatically. I had a compromised device on my network once and my ISP kept calling me to fix it. I’m sure if it was router malware some ISPs might use their CWMP or SNMP access to clear it.
This and taking control of botnet control panels are the most common methods.
Something that also often happens is that your home connection has been used in some sort of attack or your IP is found in some other logs and your ISP gets contacted, often even automatically. I had a compromised device on my network once and my ISP kept calling me to fix it. I’m sure if it was router malware some ISPs might use their CWMP or SNMP access to clear it.