Our initial investigation in early 2026 illuminated the alarming proliferation of the Kimwolf botnet, a sophisticated cyber threat that had already ensnared over two million devices, primarily through the mass exploitation of insecure, unofficial Android TV streaming boxes. This deeper dive into the digital breadcrumbs left behind by the perpetrators reveals a complex ecosystem of cybercriminals, network operators, and service providers who have reaped significant benefits from Kimwolf’s widespread dissemination. The revelations also shed light on the shadowy origins and evolution of this botnet, tracing its lineage back to an earlier iteration known as Aisuru.

On December 17, 2025, the Chinese cybersecurity firm XLab published a comprehensive analysis of Kimwolf, detailing its malicious functionalities. The botnet compels infected devices to participate in distributed denial-of-service (DDoS) attacks and to act as relays for abusive and malicious internet traffic, facilitating so-called "residential proxy" services. These residential proxy capabilities are often surreptitiously bundled with mobile applications and games. Kimwolf, in particular, exploited residential proxy software that was factory-installed on a staggering array of over a thousand different models of unsanctioned Android TV streaming devices. The consequences of this exploitation are dire: the IP addresses of these compromised devices are rapidly leveraged to funnel traffic associated with ad fraud, account takeover attempts, and extensive content scraping operations.

Crucially, the XLab report presented "definitive evidence" that the same cybercriminal actors and underlying infrastructure were responsible for both the deployment of Kimwolf and its predecessor, the Aisuru botnet. Aisuru, an earlier iteration, also enslaved devices for participation in DDoS attacks and proxy services. XLab had harbored suspicions since October 2025 that Kimwolf and Aisuru shared common authors and operators, partly due to observed similarities in code evolution. However, these suspicions were solidified on December 8, 2025, when researchers observed both botnet strains being distributed from the same Internet address: 93.95.112[.]59.

Publicly available records link this specific IP address range to Lehi, Utah-based Resi Rack LLC. While Resi Rack’s website promotes itself as a "Premium Game Server Hosting Provider," its advertisements on the online money-making forum BlackHatWorld paint a different picture, describing the company as a "Premium Residential Proxy Hosting and Proxy Software Solutions Company." Cassidy Hales, a co-founder of Resi Rack, acknowledged receiving a notification on December 10, 2025, regarding Kimwolf’s utilization of their network. He stated that his company took immediate action upon receiving details about a customer’s activities. "This is something we are very disappointed is now associated with our name and this was not the intention of our company whatsoever," Hales wrote in response to inquiries.

The specific Resi Rack IP address flagged by XLab on December 8 had already come to the attention of KrebsOnSecurity over two weeks prior. Benjamin Brundage, founder of Synthient, a company specializing in tracking proxy services, noted in late October 2025 that individuals selling proxy services that benefited from the Aisuru and Kimwolf botnets were operating from a new Discord server named resi[.]to. Upon joining the resi[.]to Discord channel as a silent observer in late October, KrebsOnSecurity found fewer than 150 members. Among them were "Shox," the alias used by Resi Rack co-founder Cassidy Hales, and his business partner "Linus," who did not respond to requests for comment.

Other members of the resi[.]to Discord channel regularly posted new IP addresses responsible for proxying traffic through the Kimwolf botnet. As illustrated by a screenshot from resi[.]to, the Resi Rack IP address identified by XLab was already being used by Kimwolf for proxy traffic as early as November 24, 2025, and potentially before. Synthient reported tracking at least seven static Resi Rack IP addresses connected to Kimwolf proxy infrastructure between October and December 2025. Neither of Resi Rack’s co-owners provided further comment when contacted again. Both have been active in selling proxy services via Discord for nearly two years. Analysis of Discord messages, as indexed by the cyber intelligence firm Flashpoint, revealed that Shox and Linus spent much of 2024 selling static "ISP proxies" by rerouting various IP address blocks from major U.S. Internet service providers. However, in February 2025, AT&T announced a policy change, effective July 31, 2025, to cease originating routes for network blocks not owned and managed by AT&T. Similar policy shifts followed from other major ISPs. Less than a month later, Shox and Linus informed their customers that they would discontinue offering static ISP proxies due to these policy changes.

The individual identified as the owner of the resi[.]to Discord server used the abbreviated username "D." This initial is believed to be short for the hacker handle "Dort," a name frequently mentioned in the Discord conversations. This "Dort" alias surfaced in recent discussions between KrebsOnSecurity and "Forky," a Brazilian individual who admitted to marketing the Aisuru botnet at its inception in late 2024. Forky vehemently denied any involvement in the massive and record-shattering DDoS attacks in the latter half of 2025 attributed to Aisuru, claiming the botnet had been taken over by rivals by that point. Forky asserted that Dort is a Canadian resident and one of at least two individuals currently controlling the Aisuru/Kimwolf botnet. The other individual identified by Forky as an Aisuru/Kimwolf botmaster operates under the nickname "Snow."

Tragically, on January 2, 2026, mere hours after the initial Kimwolf story was published, historical chat records on resi[.]to were abruptly erased and replaced with a profanity-laden message targeting Synthient’s founder. Minutes later, the entire server disappeared. Later that same day, several active members of the defunct resi[.]to Discord server migrated to a Telegram channel. There, they proceeded to publish Benjamin Brundage’s personal information and expressed frustration over their inability to secure reliable "bulletproof" hosting for their botnet. In a bizarre turn of events, a user named "Richard Remington" briefly appeared on the Telegram server to post a crude "Happy New Year" sketch claiming that Dort and Snow now controlled 3.5 million devices infected by Aisuru and/or Kimwolf. Richard Remington’s Telegram account has since been deleted, but it previously indicated that its owner operated a website catering to DDoS-for-hire or "stresser" services looking to test their capabilities.

Synthient’s January 2 report identified another proxy provider deeply involved in the sale of Kimwolf proxies: Maskify. Maskify currently advertises on multiple cybercrime forums that it offers access to over six million residential Internet addresses for rent. Maskify prices its service at an exceptionally low rate of 30 cents per gigabyte of data relayed through its proxies, a price point significantly lower than any other known proxy provider. The Synthient report noted that their research team received screenshots from other proxy providers showing key Kimwolf actors attempting to offload proxy bandwidth for upfront cash payments. This approach likely facilitated early development, with associated members investing earnings into infrastructure and outsourced development tasks. The report further cautioned that resellers are fully aware of the unethical sourcing of proxies at these prices. Maskify did not respond to requests for comment.

In the hours following the initial Kimwolf story’s publication, the resi[.]to Discord server vanished, Synthient’s website was subjected to a DDoS attack, and the Kimwolf botmasters retaliated by doxing Brundage using their botnet. These harassing messages were disseminated as text records uploaded to the Ethereum Name Service (ENS), a decentralized system supporting smart contracts on the Ethereum blockchain. As documented by XLab in mid-December, the Kimwolf operators upgraded their infrastructure and began utilizing ENS to enhance their resilience against ongoing takedown efforts targeting the botnet’s control servers. By directing infected systems to locate Kimwolf control servers via ENS, even if the botmasters’ primary control servers were compromised, the attackers could simply update the ENS text record with the new server address, ensuring infected devices could immediately receive further instructions. XLab highlighted that this ENS channel, relying on the decentralized nature of blockchain and unregulated by external operators, cannot be blocked. The text records within Kimwolf’s ENS instructions also served as a medium for short messages, including the dissemination of Brundage’s personal information. Other ENS text records associated with Kimwolf offered a chilling piece of advice: "If flagged, we encourage the TV box to be destroyed."

Both Synthient and XLab confirm that Kimwolf targets a vast number of Android TV streaming box models, characterized by a complete absence of security protections and, in many cases, pre-installed proxy malware. The fundamental vulnerability lies in the fact that if a data packet can be sent to these devices, administrative control can be seized. Owners of TV boxes matching the listed model names and numbers are strongly advised to immediately disconnect them from their networks. Furthermore, individuals encountering such devices on the networks of friends or family should share this information and explain the potential risks and harm associated with keeping them connected. The lucrative benefits derived from the Aisuru and Kimwolf botnets are clearly tied to a network of individuals and entities profiting from compromised devices, malicious traffic relay, and illicit services.