A system and method for botmaster discovery are disclosed. The system and method may be used in a network that has a plurality of known malicious domains, a plurality of servers each having a known malicious internet protocol (IP) address in which each server is associated with one or more of the plurality of domains, a plurality of hosts associated with one or more of the plurality of servers wherein the host is one of a bot which is compromised host and involved as a part of resource for cyber-crime purpose and a botmaster which involves bots for cyber-crime purpose. The system and method generate a plurality of clusters of known malicious entities, the known malicious entities being one or more known malicious IP addresses, one or more known malicious domains and a known malicious domain and a known malicious IP address, perform flow matching of each IP address in each cluster of known malicious entities between a plurality of source IP addresses and a plurality of destination IP addresses to identify a plurality of host flows wherein each host flow has a source IP address or a destination IP address matched a particular IP address in a cluster of known malicious entities and detect a bot master of each cluster of known malicious entities from the plurality of host flows corresponding to each cluster of known malicious entities by analyzing difference of flow features between the bot and the botmaster.