For the past week, the massive "Internet of Things" (IoT) botnet known as Kimwolf has been actively disrupting The Invisible Internet Project (I2P), a decentralized, encrypted communications network meticulously designed to anonymize and secure online interactions. The widespread disturbances within I2P began to surface concurrently with the Kimwolf botmasters’ increasingly desperate attempts to leverage the network as a refuge from ongoing takedown operations targeting the botnet’s primary control servers. Kimwolf, a formidable botnet that emerged in late 2025, rapidly infected millions of vulnerable systems, transforming poorly secured IoT devices such as TV streaming boxes, digital picture frames, and routers into conduits for malicious traffic and abnormally large distributed denial-of-service (DDoS) attacks.

I2P, at its core, is a decentralized, privacy-centric network that empowers individuals to communicate and share information with a high degree of anonymity. The I2P website eloquently describes its operational architecture: "It works by routing data through multiple encrypted layers across volunteer-operated nodes, hiding both the sender’s and receiver’s locations." This intricate design results in a secure, censorship-resistant ecosystem purpose-built for private websites, messaging, and the secure sharing of sensitive data.

The initial signs of distress within the I2P network were reported on February 3rd, when users began voicing their concerns on the organization’s GitHub page. They described a sudden influx of tens of thousands of routers overwhelming the network, effectively preventing legitimate users from establishing connections with trusted nodes. Users reported a precipitous and alarming increase in new routers joining the network, none of which were capable of transmitting data. This deluge of new, non-functional systems brought the network to a grinding halt, rendering it inaccessible for existing users.

One concerned I2P user, questioning the nature of the disruption, inquired on the GitHub thread if the network was under attack. Another user responded with a grim confirmation: "Looks like it. My physical router freezes when the number of connections exceeds 60,000." This sentiment was echoed by I2P developers who shared a graph illustrating a stark decline in successful connections on the I2P network, a phenomenon that coincided precisely with the Kimwolf botnet’s endeavor to utilize the network for fallback command and control communications.

Coincidentally, on the very same day that I2P users began experiencing these severe outages, the individuals orchestrating the Kimwolf botnet posted a candid admission to their Discord channel. They revealed that they had inadvertently caused the I2P disruptions after attempting to integrate a staggering 700,000 Kimwolf-infected bots as nodes within the I2P network. This admission, openly shared, provides a direct link between the botnet’s operational maneuvers and the ensuing network paralysis.

While Kimwolf is primarily recognized for its prowess in launching devastating DDoS attacks, the widespread outages instigated by its attempt to infiltrate I2P fall under the umbrella of a "Sybil attack." This specific type of threat is particularly insidious in peer-to-peer networks, where a single malicious entity can destabilize the entire system by creating and controlling a vast number of fake, pseudonymous identities. The sheer volume of Kimwolf-infected routers that attempted to join I2P during this period dwarfed the network’s typical operational scale. The Wikipedia entry for I2P states that the network normally comprises approximately 55,000 computers distributed globally, with each participant functioning as both a router and a client. However, Lance James, founder of the New York City-based cybersecurity consultancy Unit 221B and, notably, the original founder of I2P, provided a more current assessment. James informed KrebsOnSecurity that the I2P network, on any given day, consists of a significantly smaller pool of devices, estimated to be between 15,000 and 20,000.

Benjamin Brundage, founder of Synthient, a startup specializing in tracking proxy services and the first to meticulously document Kimwolf’s unique and aggressive spreading techniques, elaborated on the botnet operators’ motivations. Brundage explained that the Kimwolf controllers have been actively attempting to construct a command and control (C2) infrastructure that is exceptionally resilient and difficult to dismantle by the collaborative efforts of security companies and network operators. These entities are actively working to combat the botnet’s pervasive spread. Brundage further indicated that the individuals behind Kimwolf have been experimenting with I2P and a comparable anonymity network, Tor, as potential backup C2 channels. However, there have been no reported widespread disruptions within the Tor network recently, suggesting that I2P was the primary target of this particular experiment.

"I don’t think their goal is to take I2P down," Brundage stated, emphasizing the strategic intent behind the actions. "It’s more that they’re looking for an alternative to keep the botnet stable in the face of takedown attempts." This strategic objective highlights the ongoing cat-and-mouse game between botnet operators seeking persistent control and cybersecurity professionals striving to neutralize these threats.

The Kimwolf botnet previously presented significant challenges for Cloudflare late last year. At that time, it began instructing millions of infected devices to utilize Cloudflare’s domain name system (DNS) settings. This tactic resulted in control domains associated with Kimwolf repeatedly usurping the prominence of major tech giants like Amazon, Apple, Google, and Microsoft in Cloudflare’s public rankings of the most frequently requested websites. This demonstrates the botnet’s ability to manipulate critical internet infrastructure for its own nefarious purposes.

Lance James reported that the I2P network is currently operating at approximately half of its usual capacity. However, he also noted that a new release is in the process of being rolled out, which is anticipated to introduce stability improvements for users over the course of the next week. This suggests a concerted effort by the I2P community to mitigate the damage and restore full functionality.

On a more encouraging note, Brundage revealed that Kimwolf’s overlords appear to have recently alienated some of their more competent developers and operators. This internal discord has seemingly led to a "rookie mistake" this past week, a blunder that resulted in a significant drop of over 600,000 infected systems from the botnet’s overall numbers. "It seems like they’re just testing stuff, like running experiments in production," Brundage commented wryly. "But the botnet’s numbers are dropping significantly now, and they don’t seem to know what they’re doing." This suggests a potential internal fracturing within the Kimwolf operation, which could ultimately contribute to its demise. The incident serves as a stark reminder of the complex and evolving threat landscape posed by IoT botnets and the continuous efforts required to protect critical internet infrastructure and user privacy.