For the past week, the massive "Internet of Things" (IoT) botnet known as Kimwolf has been causing significant disruptions within The Invisible Internet Project (I2P), a decentralized, encrypted communications network engineered to provide anonymity and security for online communications. I2P users began reporting widespread connectivity issues and performance degradation around the same time that the botmasters behind Kimwolf started leveraging the network to evade ongoing takedown efforts targeting the botnet’s control servers. This incident highlights a growing trend of sophisticated botnets exploiting and impacting privacy-centric infrastructure, raising serious questions about the resilience of decentralized networks against overwhelming resource exhaustion attacks.

Kimwolf, a botnet that first emerged in late 2025, has rapidly escalated into a formidable threat, infecting millions of poorly secured IoT devices. These compromised devices, ranging from smart TV streaming boxes and digital picture frames to home routers, have been repurposed as covert relays for malicious traffic. The botnet has been instrumental in launching abnormally large and disruptive distributed denial-of-service (DDoS) attacks, as previously documented in reports of the related Aisuru botnet, which blanketed US ISPs with record-breaking DDoS activity. The infiltration and exploitation of these ubiquitous, often overlooked devices underscore the expanding attack surface available to cybercriminals.

I2P, at its core, is designed to be a privacy-focused, decentralized network that empowers users to communicate and share information with a high degree of anonymity. Its architecture relies on routing data through multiple encrypted layers across a global network of volunteer-operated nodes. This intricate process effectively masks both the sender’s and receiver’s geographical locations, creating a secure, censorship-resistant environment conducive to private websites, secure messaging, and confidential data sharing. The inherent distributed nature of I2P is intended to make it resilient to single points of failure and external control, a principle that has now been severely tested.

The crisis within I2P began to manifest on February 3rd, when users started voicing their concerns on the organization’s GitHub page. Reports detailed a sudden and alarming surge of tens of thousands of new routers overwhelming the network, effectively choking off legitimate communication channels for existing users. Participants described a rapidly escalating number of new nodes joining the network, many of which were incapable of transmitting data. This deluge of compromised systems, acting as artificial nodes, overwhelmed the network’s capacity to the point where established users found themselves unable to connect to the I2P network at all. The visual evidence, captured in screenshots of GitHub discussions, starkly illustrated the user frustration and the emergent crisis.

In response to these widespread outages, users on the I2P platform began to speculate about the cause. When one user directly questioned whether the network was under attack, another user confirmed their suspicions, stating, "Looks like it. My physical router freezes when the number of connections exceeds 60,000." This personal account underscored the direct impact of the overwhelming traffic on individual network participants and their hardware. Further analysis by I2P developers, visualized in a graph shared by network engineers, showed a precipitous drop in successful connections coinciding precisely with the period when the Kimwolf botnet began its attempt to integrate with the I2P network for fallback communications.

The timing of these disruptions was not coincidental. On the very same day that I2P users began experiencing severe network degradation, the individuals orchestrating the Kimwolf botnet made a revealing post on their Discord channel. They openly admitted to inadvertently causing the outages within I2P after attempting to integrate a staggering 700,000 Kimwolf-infected bots as nodes onto the network. This candid confession, captured in a screenshot from the Discord channel, directly linked the botnet’s actions to the I2P network’s paralysis.

While Kimwolf is primarily recognized for its potent capabilities in launching large-scale DDoS attacks, the recent disruptions within I2P are a prime example of a "Sybil attack." This type of attack is particularly insidious in peer-to-peer networks, where a single malicious entity can cripple a system by creating and controlling a vast number of fake, pseudonymous identities. By flooding the network with these fabricated nodes, the attacker can effectively drown out legitimate traffic and disrupt the network’s intended functionality. The sheer volume of Kimwolf-infected routers attempting to join I2P was orders of magnitude greater than the network’s typical operational size.

According to I2P’s Wikipedia page, the network typically comprises around 55,000 computers distributed globally, with each participant functioning as both a router and a client. However, Lance James, founder of the cybersecurity consultancy Unit 221B and an original founder of I2P, provided a more current estimate to KrebsOnSecurity, stating that the entire I2P network likely consists of between 15,000 and 20,000 active devices on any given day. This figure dramatically highlights the disproportionate impact of the Kimwolf botnet’s intrusion, which attempted to inject hundreds of thousands of nodes. An I2P user shared a graph on February 10th illustrating this surge, showing tens of thousands of routers, predominantly from the United States, suddenly attempting to join the network.

Benjamin Brundage, founder of Synthient, a startup specializing in tracking proxy services and the first to document Kimwolf’s unique spreading techniques, explained the strategic motivation behind the botnet operators’ actions. Brundage noted that the Kimwolf operator(s) have been actively attempting to construct a command and control (C2) network that is resilient to takedown attempts by coordinated security firms and network operators. Their experimentation with I2P and the similar anonymity network Tor represents a strategic effort to establish robust backup C2 infrastructure. While there have been no recent reports of widespread disruptions within the Tor network, the exploration of such privacy-enhancing technologies by botnet operators underscores their increasing sophistication.

Brundage further elaborated on the botnet operators’ objectives, stating, "I don’t think their goal is to take I2P down. It’s more they’re looking for an alternative to keep the botnet stable in the face of takedown attempts." This perspective reframes the I2P incident not as a direct attack on the anonymity network itself, but as a collateral consequence of the botnet’s survival strategy.

The Kimwolf botnet had previously created significant challenges for Cloudflare late last year. At that time, it was directing millions of infected devices to utilize Cloudflare’s domain name system (DNS) settings. This tactic caused control domains associated with Kimwolf to repeatedly supplant major services like Amazon, Apple, Google, and Microsoft in Cloudflare’s public rankings of the most frequently requested websites. This demonstrates a pattern of exploiting widely used infrastructure for malicious purposes.

Despite the significant disruption, Lance James indicated that the I2P network is still functioning at approximately half of its normal capacity. A new software release is currently being deployed, which is expected to introduce stability improvements for users over the coming week.

On a more positive note for cybersecurity efforts, Brundage shared that Kimwolf’s overlords appear to have recently alienated some of their more competent developers and operators. This internal friction may have contributed to the rookie mistake that led to a substantial drop in the botnet’s overall numbers, with over 600,000 infected systems disappearing in the aftermath of the I2P incident. Brundage’s assessment of the situation is stark: "It seems like they’re just testing stuff, like running experiments in production. But the botnet’s numbers are dropping significantly now, and they don’t seem to know what they’re doing." This suggests a potential decline in the operational sophistication of the Kimwolf botnet, offering a glimmer of hope in the ongoing battle against these pervasive threats. The incident serves as a critical case study on the vulnerabilities of decentralized networks and the evolving tactics of sophisticated botnets.