Our initial report in early 2026 unveiled the pervasive reach of the new and destructive Kimwolf botnet, which had infiltrated over two million devices, primarily through the mass compromise of numerous unofficial Android TV streaming boxes. This investigation delves deeper into the digital breadcrumbs left behind, illuminating the cybercriminals, network operators, and services that have demonstrably profited from Kimwolf’s widespread proliferation. The malicious software, responsible for transforming infected devices into participants in distributed denial-of-service (DDoS) attacks and conduits for illicit internet traffic, is often surreptitiously bundled with mobile applications and games. Kimwolf specifically targets this residential proxy software, which is pre-installed on over a thousand different models of unsanctioned Android TV streaming devices. Consequently, the internet addresses associated with these compromised devices rapidly become conduits for traffic linked to ad fraud, account takeover attempts, and large-scale content scraping.

The Chinese security firm XLab, in a comprehensive report published on December 17, 2025, provided definitive evidence that the same malicious actors and underlying infrastructure were responsible for deploying both Kimwolf and its predecessor, the Aisuru botnet. Aisuru, an earlier iteration, also enslaved devices for DDoS attacks and proxy services. XLab’s suspicions, initially formed in October 2025 based on shared code evolution, were solidified on December 8 when both botnet strains were observed being distributed from the same Internet address: 93.95.112[.]59. This IP address range is publicly registered to Resi Rack LLC, a company based in Lehi, Utah. While Resi Rack’s website promotes itself as a "Premium Game Server Hosting Provider," advertisements on the online moneymaking forum BlackHatWorld explicitly identify it as a "Premium Residential Proxy Hosting and Proxy Software Solutions Company."

Cassidy Hales, co-founder of Resi Rack, confirmed that his company received a notification on December 10, 2025, detailing Kimwolf’s exploitation of their network by one of their clients. Hales stated, "When we received this email we took care of this issue immediately. This is something we are very disappointed is now associated with our name and this was not the intention of our company whatsoever." The specific Resi Rack IP address identified by XLab had already come to the attention of KrebsOnSecurity over two weeks prior. Benjamin Brundage, founder of Synthient, a startup specializing in tracking proxy services, reported in late October 2025 that individuals selling proxy services benefiting from the Aisuru and Kimwolf botnets were operating from a new Discord server named resi[.]to.

Upon joining the resi[.]to Discord channel as a silent observer in late October 2025, Brundage noted fewer than 150 members, including "Shox," the alias used by Resi Rack’s co-founder Mr. Hales, and his business partner "Linus," who did not respond to inquiries. Members of the resi[.]to Discord channel regularly posted new IP addresses responsible for proxying traffic from the Kimwolf botnet. Evidence, including a screenshot from resi[.]to, indicates that the Resi Rack IP address flagged by XLab was actively used by Kimwolf to route proxy traffic as early as November 24, 2025, and potentially earlier. Synthient’s tracking revealed at least seven static Resi Rack IP addresses linked to Kimwolf’s proxy infrastructure between October and December 2025. Neither of Resi Rack’s co-owners provided further comment to follow-up questions. Both individuals have been active in selling proxy services via Discord for nearly two years. Flashpoint, a cyber intelligence firm, reviewed Discord messages indicating that "Shox" and "Linus" spent much of 2024 selling static "ISP proxies" by rerouting blocks of IP addresses from major U.S. Internet service providers.

However, policy changes announced by AT&T in February 2025, effective July 31, 2025, stating they would no longer originate routes for network blocks not owned and managed by AT&T (a move echoed by other major ISPs), prompted "Shox" and "Linus" to inform their customers in March 2025 that they would soon cease offering static ISP proxies.

The stated owner of the resi[.]to Discord server operated under the abbreviated username "D.," believed to be short for the hacker handle "Dort." This nickname "Dort" appeared frequently in the Discord communications. This "Dort" was also mentioned in recent conversations with "Forky," a Brazilian individual who admitted to marketing the Aisuru botnet at its inception in late 2024. Forky vehemently denied any involvement in the massive, record-breaking DDoS attacks in the latter half of 2025 attributed to Aisuru, claiming the botnet had been taken over by rivals by that point. Forky asserts that Dort is a Canadian resident and one of at least two individuals currently controlling the Aisuru/Kimwolf botnet, the other being known by the nickname "Snow."

On January 2, 2026, mere hours after the initial Kimwolf story was published, historical chat records on resi[.]to were abruptly erased and replaced with a profanity-laced message targeting Synthient’s founder. Shortly thereafter, the entire server disappeared. Later that same day, several active members of the defunct resi[.]to Discord server migrated to a Telegram channel. There, they posted Brundage’s personal information and expressed frustration over their inability to secure reliable "bulletproof" hosting for their botnet. Amusingly, a user named "Richard Remington" briefly appeared on the Telegram server, posting a crude "Happy New Year" sketch claiming Dort and Snow now control 3.5 million devices infected by Aisuru and/or Kimwolf. Richard Remington’s Telegram account has since been deleted, but it previously indicated that its owner operates a website catering to DDoS-for-hire or "stresser" services.

Synthient’s research also identified ByteConnect, a software development kit (SDK) distributed by Plainproxies, as another proxy provider heavily involved in the sale of Kimwolf proxies. ByteConnect claims to specialize in "monetizing apps ethically and free," while Plainproxies advertises the ability to provide "unlimited" proxy pools for content scraping companies. However, Synthient observed a massive influx of credential-stuffing attacks targeting email servers and popular online websites upon connecting to ByteConnect’s SDK. LinkedIn profiles reveal Friedrich Kraft as the CEO of Plainproxies and co-founder of ByteConnect Ltd. Public Internet routing records indicate Mr. Kraft also operates a German hosting firm, 3XK Tech GmbH. Mr. Kraft did not respond to repeated interview requests.

Cloudflare reported in July 2025 that 3XK Tech had become the Internet’s largest source of application-layer DDoS attacks. In November 2025, GreyNoise Intelligence found that IP addresses associated with 3XK Tech were responsible for approximately three-quarters of the Internet scanning conducted at the time for a critical vulnerability in Palo Alto Networks security products. Julia Levi, listed as co-founder of ByteConnect and an employee of Plainproxies, also did not respond to requests for comment. Her resume indicates previous employment with major proxy providers Netnut Proxy Network and Bright Data. Synthient noted that Plainproxies ignored their outreach, and the Byteconnect SDK remains active on devices compromised by Kimwolf.

Synthient’s January 2 report further highlighted Maskify as another proxy provider significantly involved in the sale of Kimwolf proxies, currently advertising over six million residential Internet addresses for rent on multiple cybercrime forums. Maskify prices its services at an exceptionally low rate of 30 cents per gigabyte of data relayed through their proxies, a price point described as "insanely low" and significantly cheaper than other current proxy providers. The Synthient report noted, "Synthient’s Research Team received screenshots from other proxy providers showing key Kimwolf actors attempting to offload proxy bandwidth in exchange for upfront cash. This approach likely helped fuel early development, with associated members spending earnings on infrastructure and outsourced development tasks. Please note that resellers know precisely what they are selling; proxies at these prices are not ethically sourced." Maskify also did not respond to requests for comment.

Hours after the initial Kimwolf story was published, the resi[.]to Discord server vanished, Synthient’s website was subjected to a DDoS attack, and the Kimwolf botmasters resorted to doxing Brundage through their botnet. Harassing messages were uploaded as text records to the Ethereum Name Service (ENS), a decentralized system supporting smart contracts on the Ethereum blockchain. As documented by XLab, Kimwolf operators upgraded their infrastructure in mid-December 2025, utilizing ENS to better withstand takedown efforts targeting their control servers. By directing infected systems to locate Kimwolf control servers via ENS, the botmasters can update the ENS text record with a new IP address if their control servers are compromised, ensuring infected devices can still receive instructions. XLab noted, "This channel itself relies on the decentralized nature of blockchain, unregulated by Ethereum or other blockchain operators, and cannot be blocked."

The ENS text records associated with Kimwolf’s instructions can also contain taunting messages, such as those that disseminated Brundage’s personal information. Other ENS records linked to Kimwolf offered a chilling piece of advice: "If flagged, we encourage the TV box to be destroyed." Both Synthient and XLab confirm that Kimwolf targets a vast array of Android TV streaming box models, many of which lack any security protections and are shipped with pre-installed proxy malware. Generally, any device accessible via a data packet can be seized and controlled administratively. Owners of TV boxes matching the listed models are strongly advised to disconnect them from their networks. For those encountering such devices on the networks of friends or family, sharing this information and explaining the potential risks is crucial, as keeping them connected is not worth the associated hassle and harm.