Kimwolf Botnet Swamps Anonymity Network I2P

The Kimwolf IoT botnet has disrupted The Invisible Internet Project (I2P), a decentralized anonymity network, by attempting to onboard 700,000 infected devices as nodes. This mass influx caused a Sybil attack, overwhelming the network to approximately half its normal capacity and preventing legitimate users from connecting. Kimwolf, which emerged in late 2025 and has infected millions of IoT devices including routers, TV streaming boxes, and digital picture frames, attempted to use I2P as a fallback command-and-control infrastructure to evade takedown efforts. The botnet is also known for launching large-scale DDoS attacks and previously manipulated Cloudflare's DNS settings to prominence. I2P developers are rolling out stability improvements while the network remains degraded.

For the past week, the massive "Internet of Things" (IoT) botnet known as Kimwolf has been disrupting the The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet's control servers.

The Kimwolf IoT botnet has disrupted The Invisible Internet Project (I2P), a decentralized anonymity network, by attempting to onboard 700,000 infected devices as nodes. This mass influx caused a Sybil attack, overwhelming the network to approximately half its normal capacity and preventing legitimate users from connecting. Kimwolf, which emerged in late 2025 and has infected millions of IoT devices including routers, TV streaming boxes, and digital picture frames, attempted to use I2P as a fallback command-and-control infrastructure to evade takedown efforts. The botnet is also known for launching large-scale DDoS attacks and previously manipulated Cloudflare's DNS settings to prominence. I2P developers are rolling out stability improvements while the network remains degraded. For the past week, the massive "Internet of Things" (IoT) botnet known as Kimwolf has been disrupting the The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet's control servers. For the past week, the massive “Internet of Things” (IoT) botnet known as Kimwolf has been disrupting The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users started reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet’s control servers. Kimwolf is a botnet that surfaced in late 2025 and quickly infected millions of systems, turning poorly secured IoT devices like TV streaming boxes, digital picture frames and routers into relays for malicious traffic and abnormally large distributed denial-of-service (DDoS) attacks. I2P is a decentralized, privacy-focused network that allows people to communicate and share information anonymously. “It works by routing data through multiple encrypted layers across volunteer-operated nodes, hiding both the sender’s and receiver’s locations,” the I2P website explains . “The result is a secure, censorship-resistant network designed for private websites, messaging, and data sharing.” On February 3, I2P users began complaining on the organization’s GitHub page about tens of thousands of routers suddenly overwhelming the network, preventing existing users from communicating with legitimate nodes. Users reported a rapidly increasing number of new routers joining the network that were unable to transmit data, and that the mass influx of new systems had overwhelmed the network to the point where users could no longer connect. I2P users complaining about service disruptions from a rapidly increasing number of routers suddenly swamping the network. When one I2P user asked whether the network was under attack, another user replied, “Looks like it. My physical router freezes when the number of connections exceeds 60,000.” A graph shared by I2P developers showing a marked drop in successful connections on the I2P network around the time the Kimwolf botnet started trying to use the network for fallback communications. The same day that I2P users began noticing the outages, the individuals in control of Kimwolf posted to their Discord channel that they had accidentally disrupted I2P after attempting to join 700,000 Kimwolf-infected bots as nodes on the network. The Kimwolf botmaster openly discusses what they are doing with the botnet in a Discord channel with my name on it. Although Kimwolf is known as a potent weapon for launching DDoS attacks, the outages caused this week by some portion of the botnet attempting to join I2P are what’s known as a “ Sybil attack ,” a threat in peer-to-peer networks where a single entity can disrupt the system by creating, controlling, and operating a large number of fake, pseudonymous identities. Indeed, the number of Kimwolf-infected routers that tried to join I2P this past week was many times the network’s normal size. I2P’s Wikipedia page says the network consists of roughly 55,000 computers distributed throughout the world, with each participant acting as both a router (to relay traffic) and a client. However, Lance James , founder of the New York City based cybersecurity consultancy Unit 221B and the original founder of I2P, told KrebsOnSecurity the entire I2P network now consists of between 15,000 and 20,000 devices on any given day. An I2P user posted this graph on Feb. 10, showing tens of thousands of routers — mostly from the United States — suddenly attempting to join the network. Benjamin Brundage is founder of Synthient , a startup that tracks proxy services and was the first to document Kimwolf’s unique spreading techniques . Brundage said the Kimwolf operator(s) have been trying to build a command and control network that can’t easily be taken down by...