In the aftermath of the devastating Kimwolf botnet’s widespread proliferation, infecting over two million devices primarily through the mass compromise of unofficial Android TV streaming boxes, a deeper investigation into the digital breadcrumbs left behind has illuminated the shadowy network of individuals and services that have reaped significant benefits from its expansion. This exposé, building upon the initial findings that characterized Kimwolf as a destructive force, delves into the intricate web of cybercriminals, network operators, and proxy services that have profited from the botnet’s insidious spread. The malware underpinning Kimwolf, as revealed by the Chinese security firm XLab, not only orchestrates distributed denial-of-service (DDoS) attacks but also serves as a crucial relay for malicious Internet traffic, powering the burgeoning "residential proxy" industry.

The modus operandi of these residential proxy services often involves stealthy bundling with seemingly innocuous mobile applications and games. Kimwolf, however, escalated this practice by specifically targeting residential proxy software pre-installed on a staggering array of over a thousand different models of unsanctioned Android TV streaming devices. The consequences are immediate and far-reaching: the Internet addresses of these compromised devices become conduits for a torrent of illicit activities, including sophisticated ad fraud schemes, audacious account takeover attempts, and mass content scraping operations that undermine legitimate online businesses.

Crucially, XLab’s exhaustive analysis uncovered "definitive evidence" that the same cybercriminal actors and the very same infrastructure were responsible for both the deployment of Kimwolf and its predecessor, the Aisuru botnet. Aisuru, an earlier iteration, also enslaved devices for the dual purposes of executing DDoS attacks and facilitating proxy services. XLab’s suspicions, which had been simmering since October 2025, regarding the shared authorship and operational control of Kimwolf and Aisuru, were solidified on December 8, 2025. On this pivotal date, researchers observed both botnet strains being disseminated from a single, shared Internet address: 93.95.112[.]59.

Publicly available records link this flagged Internet address range to Resi Rack LLC, a company based in Lehi, Utah. While Resi Rack’s public-facing website touts its services as a "Premium Game Server Hosting Provider," its advertisements on the online moneymaking forum BlackHatWorld paint a more revealing picture, describing the company as a "Premium Residential Proxy Hosting and Proxy Software Solutions Company." Cassidy Hales, a co-founder of Resi Rack, acknowledged receiving a notification on December 10, 2025, detailing Kimwolf’s illicit use of their network, specifically mentioning "what was being done by one of our customers leasing our servers." Hales stated that his company acted "immediately" upon receiving this notification and expressed profound disappointment that their name was now associated with such activities, asserting that it was "not the intention of our company whatsoever."

The specific Resi Rack Internet address identified by XLab had already surfaced on the radar of KrebsOnSecurity over two weeks prior to XLab’s report. Benjamin Brundage, the founder of Synthient, a startup dedicated to tracking proxy services, had shared in late October 2025 that individuals marketing proxy services that profited from the Aisuru and Kimwolf botnets were operating from a newly established Discord server named resi[.]to. Upon joining the resi[.]to Discord channel as a silent observer in late October, Brundage noted fewer than 150 members, including "Shox," the moniker used by Resi Rack’s co-founder Mr. Hales, and his business partner, "Linus," who did not respond to inquiries.

Members of the resi[.]to Discord channel regularly shared new IP addresses responsible for proxying traffic through the Kimwolf botnet. As evidenced by a screenshot from resi[.]to, the Resi Rack IP address flagged by XLab was actively used by Kimwolf to direct proxy traffic as early as November 24, 2025, and potentially even earlier. Synthient’s analysis revealed at least seven distinct static Resi Rack IP addresses connected to Kimwolf’s proxy infrastructure between October and December 2025. Neither of Resi Rack’s co-owners provided further comment in response to follow-up questions. Both have been actively engaged in selling proxy services via Discord for nearly two years. A review of Discord messages, indexed by the cyber intelligence firm Flashpoint, indicates that Shox and Linus dedicated much of 2024 to selling static "ISP proxies" by routing various Internet address blocks from major U.S. Internet service providers.

However, a significant shift occurred in early 2025 when AT&T announced a policy change, effective July 31, 2025, to cease originating routes for network blocks not owned and managed by AT&T, a move subsequently mirrored by other major ISPs. Less than a month after this announcement, Shox and Linus informed their clientele that they would soon discontinue offering static ISP proxies due to these policy modifications.

The individual listed as the stated owner of the resi[.]to Discord server used the abbreviated username "D." This initial likely stands for the hacker handle "Dort," a name that appeared with considerable frequency throughout the Discord conversations. This "Dort" alias also surfaced in recent discussions between KrebsOnSecurity and "Forky," a Brazilian individual who previously admitted to involvement in the initial marketing of the Aisuru botnet in late 2024. Forky, however, vehemently denied any association with the massive, record-shattering DDoS attacks that plagued the latter half of 2025 and were attributed to Aisuru, claiming the botnet had, by that point, fallen under the control of rivals. Forky asserts that Dort is a Canadian resident and one of at least two individuals currently exercising control over the Aisuru/Kimwolf botnet. The other individual identified by Forky as an Aisuru/Kimwolf botmaster operates under the nickname "Snow."

On January 2, 2026, mere hours after the initial Kimwolf story was published, historical chat records on resi[.]to were unceremoniously erased and replaced with a profanity-laden message directed at Synthient’s founder. Minutes later, the entire Discord server vanished. Later that same day, several of the most active members of the defunct resi[.]to Discord server migrated to a Telegram channel. Here, they proceeded to disseminate Benjamin Brundage’s personal information and voiced general complaints about the difficulty of securing reliable "bulletproof" hosting for their botnet operations. Amusingly, a user by the name of "Richard Remington" briefly appeared in the group’s Telegram server to post a crude "Happy New Year" sketch claiming that Dort and Snow now commanded control over an estimated 3.5 million devices infected by either Aisuru or Kimwolf. Richard Remington’s Telegram account has since been deleted, but it previously indicated that its owner operated a website catering to DDoS-for-hire or "stresser" services.

Synthient’s January 2, 2026, report also highlighted another proxy provider deeply enmeshed in the sale of Kimwolf proxies: Maskify. This entity currently advertises on multiple cybercrime forums, claiming to offer access to over six million residential Internet addresses for rent. Maskify’s pricing structure is remarkably low, charging a mere 30 cents per gigabyte of data relayed through their proxies. This rate, according to Synthient, is exceptionally low and significantly cheaper than any other legitimate proxy provider currently in operation. The Synthient report noted that their research team received screenshots from other proxy providers depicting key Kimwolf actors attempting to offload proxy bandwidth in exchange for immediate cash payments. This approach, the report suggests, likely fueled early development, with associated members reinvesting earnings into infrastructure and outsourced development tasks. Critically, the report emphasizes that "resellers know precisely what they are selling; proxies at these prices are not ethically sourced." Maskify did not respond to requests for comment.

In a dramatic escalation, mere hours after the initial Kimwolf story broke, the resi[.]to Discord server disappeared, Synthient’s website was subjected to a DDoS attack, and the Kimwolf botmasters retaliated by doxing Brundage through their botnet. These harassing messages were disseminated as text records uploaded to the Ethereum Name Service (ENS), a decentralized system built on the Ethereum blockchain. As documented by XLab, the Kimwolf operators had upgraded their infrastructure in mid-December 2025 to incorporate ENS, thereby enhancing their resilience against the persistent takedown efforts targeting the botnet’s control servers. By directing infected systems to locate Kimwolf control servers via ENS, even if the servers used by the botmasters are taken down, attackers can simply update the ENS text record with the new Internet address of the control server, ensuring infected devices can immediately receive further instructions. XLab observed that "this channel itself relies on the decentralized nature of blockchain, unregulated by Ethereum or other blockchain operators, and cannot be blocked."

The text records embedded within Kimwolf’s ENS instructions also served as a medium for short, taunting messages, including those that contained Brundage’s personal information. Other ENS text records associated with Kimwolf offered a chilling piece of advice: "If flagged, we encourage the TV box to be destroyed." Both Synthient and XLab concur that Kimwolf targets a vast number of Android TV streaming box models, all of which reportedly lack any security protections and, alarmingly, many of which ship with pre-installed proxy malware. In essence, any device capable of receiving a data packet is also susceptible to administrative control. The imperative for users to remove such devices from their networks is clear. If an Android TV box matches any of the models listed in the provided CSV file, it is strongly advised to disconnect it immediately. Informing friends and family about the risks associated with these compromised devices and urging them to remove them from their networks is crucial to mitigating the potential harm and hassle they create.