Our initial report in early 2026 exposed the emergence of Kimwolf, a pernicious botnet that had already infiltrated over two million devices, primarily by exploiting vulnerabilities in a vast array of unofficial Android TV streaming boxes. This follow-up investigation delves into the digital breadcrumbs left by the malicious actors, network operators, and service providers who have profited from Kimwolf’s widespread dissemination.

The digital forensics firm XLab, in a comprehensive report published on December 17, 2025, detailed how Kimwolf compels infected devices to participate in distributed denial-of-service (DDoS) attacks and to act as relays for abusive and malicious internet traffic, serving what are known as "residential proxy" services. These services, often surreptitiously bundled with mobile applications and games, transform a user’s device into a proxy without their explicit consent. Kimwolf specifically targeted such residential proxy software that was pre-installed on over a thousand different models of unsanctioned Android TV streaming devices. Consequently, the IP addresses associated with these compromised devices quickly began to funnel traffic linked to ad fraud, account takeover attempts, and large-scale content scraping.

XLab’s research uncovered "definitive evidence" indicating that the same cybercriminal entities and infrastructure were responsible for deploying both Kimwolf and its predecessor, the Aisuru botnet. Aisuru, an earlier iteration, also enslaved devices for participation in DDoS attacks and proxy services. XLab had harbored suspicions since October 2025 that Kimwolf and Aisuru shared common authors and operators, largely due to observed similarities in their codebases. These suspicions were solidified on December 8, 2025, when researchers observed both botnet strains being distributed from the same internet address: 93.95.112[.]59.

RESI RACK: The Infrastructure Provider

Public records reveal that the internet address range identified by XLab is assigned to Resi Rack LLC, a company based in Lehi, Utah. While Resi Rack’s website advertises itself as a "Premium Game Server Hosting Provider," its advertisements on the online money-making forum BlackHatWorld present it as a "Premium Residential Proxy Hosting and Proxy Software Solutions Company."

Cassidy Hales, a co-founder of Resi Rack, informed KrebsOnSecurity that his company received a notification on December 10, 2025, regarding Kimwolf’s utilization of their network. This notification "detailed what was being done by one of our customers leasing our servers." Hales responded via email, stating, "When we received this email we took care of this issue immediately. This is something we are very disappointed is now associated with our name and this was not the intention of our company whatsoever." The Resi Rack IP address flagged by XLab on December 8 had already come to KrebsOnSecurity’s attention over two weeks prior. Benjamin Brundage, founder of Synthient, a company specializing in tracking proxy services, shared in late October 2025 that individuals selling proxy services that benefited from the Aisuru and Kimwolf botnets were operating from a new Discord server named resi[.]to.

Upon joining the resi[.]to Discord channel as a silent observer in late October 2025, KrebsOnSecurity noted fewer than 150 members, including "Shox," the moniker used by Resi Rack’s co-founder Mr. Hales, and his business partner "Linus," who did not respond to requests for comment. Other members of the resi[.]to Discord channel frequently posted new IP addresses responsible for proxying traffic through the Kimwolf botnet. As a screenshot from resi[.]to illustrates, the Resi Rack IP address identified by XLab was actively used by Kimwolf to direct proxy traffic as early as November 24, 2025, and possibly earlier. In total, Synthient tracked at least seven static Resi Rack IP addresses linked to Kimwolf’s proxy infrastructure between October and December 2025. Neither of Resi Rack’s co-owners responded to follow-up inquiries. Both have been actively involved in selling proxy services via Discord for nearly two years. According to a review of Discord messages indexed by the cyber intelligence firm Flashpoint, Shox and Linus spent much of 2024 selling static "ISP proxies" by routing various internet address blocks from major U.S. internet service providers.

In February 2025, AT&T announced that effective July 31, 2025, it would cease originating routes for network blocks not owned and managed by AT&T. Other major ISPs have since implemented similar policies. Less than a month later, Shox and Linus informed their customers that they would soon discontinue offering static ISP proxies due to these policy changes.

DORT & SNOW: The Botnet Masters

The stated owner of the resi[.]to Discord server used the abbreviated username "D." This initial appears to be short for the hacker handle "Dort," a name frequently mentioned throughout the Discord chats. This "Dort" nickname surfaced in recent conversations KrebsOnSecurity had with "Forky," a Brazilian individual who admitted to being involved in the marketing of the Aisuru botnet at its inception in late 2024. However, Forky vehemently denied any involvement in a series of massive and record-breaking DDoS attacks in the latter half of 2025 attributed to Aisuru, claiming the botnet had been taken over by rivals by that point.

Forky asserts that Dort is a resident of Canada and is one of at least two individuals currently in control of the Aisuru/Kimwolf botnet. The other individual Forky named as an Aisuru/Kimwolf botmaster goes by the nickname "Snow." On January 2, 2026—just hours after the initial Kimwolf story was published—the historical chat records on resi[.]to were erased without warning and replaced by a profanity-laced message directed at Synthient’s founder. Minutes later, the entire server vanished. Later that same day, several of the more active members of the now-defunct resi[.]to Discord server migrated to a Telegram channel. There, they posted Brundage’s personal information and generally complained about their inability to find reliable "bulletproof" hosting for their botnet. Amusingly, a user named "Richard Remington" briefly appeared in the group’s Telegram server to post a crude "Happy New Year" sketch claiming Dort and Snow now control 3.5 million devices infected by Aisuru and/or Kimwolf. Richard Remington’s Telegram account has since been deleted, but it previously stated its owner operates a website catering to DDoS-for-hire or "stresser" services seeking to test their firepower.

BYTECONNECT, PLAINPROXIES, AND 3XK TECH: The SDK and Hosting Providers

Reports from both Synthient and XLab indicated that Kimwolf was instrumental in deploying programs that transformed infected systems into internet traffic relays for multiple residential proxy services. Among these was a component that installed a software development kit (SDK) called ByteConnect, distributed by a provider known as Plainproxies. ByteConnect claims to specialize in "monetizing apps ethically and free," while Plainproxies advertises its ability to provide content scraping companies with "unlimited" proxy pools. However, Synthient observed a massive influx of credential-stuffing attacks targeting email servers and popular online websites upon connecting to ByteConnect’s SDK.

A LinkedIn search reveals that the CEO of Plainproxies is Friedrich Kraft, whose resume states he is a co-founder of ByteConnect Ltd. Public internet routing records show that Mr. Kraft also operates a hosting firm in Germany called 3XK Tech GmbH. Mr. Kraft did not respond to repeated requests for an interview. In July 2025, Cloudflare reported that 3XK Tech (also known as Drei-K-Tech) had become the internet’s largest source of application-layer DDoS attacks. In November 2025, the security firm GreyNoise Intelligence found that internet addresses on 3XK Tech were responsible for approximately three-quarters of the internet scanning being conducted at the time for a newly discovered and critical vulnerability in security products made by Palo Alto Networks.

LinkedIn features a profile for Julia Levi, another Plainproxies employee, listed as a co-founder of ByteConnect. Ms. Levi did not respond to requests for comment. Her resume indicates she previously worked for two major proxy providers: Netnut Proxy Network and Bright Data. Synthient also noted that Plainproxies ignored their outreach efforts, and the Byteconnect SDK continues to remain active on devices compromised by Kimwolf.

MASKIFY: The Aggressive Reseller

Synthient’s January 2, 2026, report identified another proxy provider heavily involved in the sale of Kimwolf proxies: Maskify. Maskify currently advertises on multiple cybercrime forums that it possesses over six million residential internet addresses available for rent. Maskify prices its service at 30 cents per gigabyte of data relayed through its proxies. According to Synthient, this pricing is exceptionally low and significantly cheaper than any other proxy provider currently in operation. "Synthient’s Research Team received screenshots from other proxy providers showing key Kimwolf actors attempting to offload proxy bandwidth in exchange for upfront cash," the Synthient report stated. "This approach likely helped fuel early development, with associated members spending earnings on infrastructure and outsourced development tasks. Please note that resellers know precisely what they are selling; proxies at these prices are not ethically sourced." Maskify did not respond to requests for comment.

BOTMASTERS LASH OUT

Hours after the initial Kimwolf story was published, the resi[.]to Discord server vanished, Synthient’s website was subjected to a DDoS attack, and the Kimwolf botmasters resorted to doxing Brundage using their botnet. The harassing messages appeared as text records uploaded to the Ethereum Name Service (ENS), a decentralized system for supporting smart contracts on the Ethereum blockchain. As documented by XLab, in mid-December 2025, the Kimwolf operators upgraded their infrastructure and began utilizing ENS to better withstand the persistent takedown efforts targeting the botnet’s control servers.

By directing infected systems to locate Kimwolf control servers via ENS, even if the servers used by the botmasters are taken down, the attackers only need to update the ENS text record with the new IP address of the control server, and the infected devices will immediately know where to seek further instructions. XLab noted, "This channel itself relies on the decentralized nature of blockchain, unregulated by Ethereum or other blockchain operators, and cannot be blocked." The text records embedded within Kimwolf’s ENS instructions can also contain brief messages, such as those that disseminated Brundage’s personal information. Other ENS text records associated with Kimwolf offered dire advice: "If flagged, we encourage the TV box to be destroyed."

Both Synthient and XLab confirm that Kimwolf targets a vast number of Android TV streaming box models, all of which lack any security protections, and many of which ship with pre-installed proxy malware. Generally, if a data packet can be sent to one of these devices, administrative control can also be seized. If you own a TV box that matches one of the listed model names and/or numbers, it is strongly advised to immediately disconnect it from your network. If you encounter such a device on the network of a family member or friend, share this story and explain that the potential hassle and harm caused by keeping them connected are not worth the convenience.