For the past week, the massive "Internet of Things" (IoT) botnet known as Kimwolf has been disrupting The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users began reporting disruptions in the network around the same time the Kimwolf botmasters began relying on it to evade takedown attempts against the botnet’s control servers. This unprecedented event highlights a growing trend of botnets leveraging anonymity networks for their own nefarious purposes, thereby undermining the very principles of privacy and security these networks aim to protect.

Kimwolf, a formidable botnet that surfaced in late 2025, has rapidly infected millions of systems worldwide. Its primary modus operandi involves weaponizing poorly secured IoT devices, transforming everyday objects like TV streaming boxes, digital picture frames, and routers into powerful relays for malicious traffic. This has resulted in abnormally large distributed denial-of-service (DDoS) attacks, capable of overwhelming critical online infrastructure. The botnet’s emergence and its subsequent aggressive expansion have posed a significant threat to internet stability and cybersecurity, with its operators constantly seeking new and resilient methods to maintain command and control.

I2P, in contrast, stands as a beacon of decentralized privacy, offering users a sanctuary for anonymous communication and information sharing. Its intricate architecture works by routing data through multiple encrypted layers across a vast network of volunteer-operated nodes. This sophisticated process effectively obscures both the sender’s and the receiver’s geographical locations, creating a secure, censorship-resistant environment ideal for private websites, secure messaging, and sensitive data sharing. The I2P website eloquently describes its mission: "The result is a secure, censorship-resistant network designed for private websites, messaging, and data sharing."

The disruption to I2P began on February 3rd, when users started voicing their concerns on the organization’s GitHub page. They reported a sudden and overwhelming influx of tens of thousands of new routers, which were effectively choking the network and preventing legitimate users from establishing connections with established nodes. The experience was jarring: a rapidly increasing number of new systems joining the network, but critically, these new nodes were incapable of transmitting data. This mass infiltration overwhelmed the network’s capacity, leading to widespread connection failures and a significant degradation of service for existing I2P participants. One user, describing the critical impact, stated, "It looks like it. My physical router freezes when the number of connections exceeds 60,000."

This dramatic surge in network activity and subsequent degradation coincided precisely with the Kimwolf botnet’s attempt to integrate itself into the I2P ecosystem. On the very same day that I2P users began experiencing these severe outages, the individuals controlling the Kimwolf botnet posted a candid confession to their Discord channel. They admitted to accidentally disrupting I2P after a massive attempt to onboard 700,000 Kimwolf-infected bots as nodes within the network. This admission directly links the botnet’s operational maneuvers to the paralysis of the anonymity network.

While Kimwolf is primarily recognized for its prowess in launching devastating DDoS attacks, the outages experienced by I2P are a direct consequence of what cybersecurity experts classify as a "Sybil attack." This type of attack is particularly insidious in peer-to-peer networks, where a single malicious entity can subvert the system’s integrity by creating and controlling a vast number of fake, pseudonymous identities. By flooding the network with these fabricated nodes, the attacker can disrupt its normal operations, deny service to legitimate users, and potentially gain undue influence over network traffic.

The scale of the Kimwolf intrusion was staggering. The number of infected routers attempting to join I2P far surpassed the network’s normal operational capacity. Official figures suggest that the I2P network typically comprises around 55,000 computers distributed globally, with each participant functioning as both a router and a client. However, Lance James, founder of the cybersecurity consultancy Unit 221B and the original founder of I2P, provided a more current estimate, stating that the network generally consists of between 15,000 and 20,000 devices on any given day. The influx of hundreds of thousands of Kimwolf bots dwarfs these numbers, demonstrating the botnet’s immense scale and its capacity for overwhelming even resilient decentralized systems. An I2P user posted a graph on February 10th, starkly illustrating this phenomenon, showing tens of thousands of routers—predominantly from the United States—simultaneously attempting to join the network.

Benjamin Brundage, founder of Synthient, a startup specializing in tracking proxy services and the first to meticulously document Kimwolf’s unique spreading techniques, offered further insight into the botnet’s motivations. Brundage explained that the operators behind Kimwolf have been actively working to construct a command and control (C2) network that is inherently resistant to takedown efforts by cybersecurity firms and network operators collaborating to combat the botnet’s proliferation. Brundage revealed that the Kimwolf controllers have been experimenting with both I2P and its more widely known counterpart, Tor, as potential backup C2 networks. While there have been no widespread disruptions reported on the Tor network recently, the strategic intent is clear: to establish redundant and difficult-to-disrupt communication channels.

"I don’t think their goal is to take I2P down," Brundage stated, clarifying the immediate intent. "It’s more they’re looking for an alternative to keep the botnet stable in the face of takedown attempts." This highlights a critical shift in botnet operations, where the focus is not solely on destructive attacks but also on building resilient infrastructure for long-term control.

The Kimwolf botnet had previously caused significant challenges for major internet infrastructure providers. Late last year, it instructed millions of infected devices to utilize Cloudflare’s Domain Name System (DNS) settings. This tactic caused control domains associated with Kimwolf to repeatedly usurp the rankings of established giants like Amazon, Apple, Google, and Microsoft in Cloudflare’s public metrics for the most frequently requested websites. This demonstrated Kimwolf’s sophisticated ability to manipulate traffic and its potential to disrupt the perceived stability of even the largest online services.

Despite the significant disruption, the I2P network is showing signs of recovery. Lance James reported that the network is currently operating at approximately half of its normal capacity. A new release is being deployed, which is expected to introduce stability improvements over the coming week, offering a degree of relief to affected users.

On a more optimistic note, Brundage pointed out that recent events may have inadvertently weakened Kimwolf’s operational capabilities. He indicated that the botnet’s overlords appear to have recently alienated some of their more competent developers and operators. This internal friction may have led to a rookie mistake this past week, resulting in a significant drop of over 600,000 infected systems from the botnet’s overall numbers. "It seems like they’re just testing stuff, like running experiments in production," Brundage commented. "But the botnet’s numbers are dropping significantly now, and they don’t seem to know what they’re doing." This suggests that while botnets like Kimwolf are evolving, their operators may also be prone to critical errors, especially when under pressure and facing internal discord. The ongoing cat-and-mouse game between botnet operators and cybersecurity defenders continues, with each side constantly adapting its strategies.