The Kimwolf botnet, a massive network of compromised Internet of Things devices that emerged in late 2025, has spent the past week disrupting I2P (The Invisible Internet Project), an encrypted anonymity network, after its operators attempted to enlist hundreds of thousands of infected devices as nodes on the platform.
The disruption began on February 3, when I2P users started filing complaints on the organization’s GitHub page. Tens of thousands of routers were suddenly attempting to join the network, overwhelming its infrastructure and preventing legitimate users from connecting to working nodes.
What Kimwolf Did to I2P
Kimwolf’s operators acknowledged the situation the same day outages began, posting to their Discord channel that they had accidentally disrupted I2P by attempting to join 700,000 Kimwolf-infected bots as nodes on the network. The intent was not sabotage. They were looking for a resilient fallback command-and-control channel that security researchers and network operators couldn’t easily dismantle.
The disruption falls into a category known as a Sybil attack, where a single entity floods a peer-to-peer network by creating and operating a massive number of fake identities simultaneously. In this case, the sheer volume of Kimwolf nodes dwarfed I2P’s actual size.
According to Lance James, founder of cybersecurity consultancy Unit 221B and the original founder of I2P, the network currently operates between 15,000 and 20,000 devices on any given day. The 700,000 bots Kimwolf attempted to connect represented a volume many times larger than the entire network. One I2P user reported their physical router freezing once connections exceeded 60,000.
A Botnet Built to Survive Takedowns
Kimwolf first surfaced in late 2025 and rapidly infected millions of systems, targeting poorly secured IoT devices including TV streaming boxes, digital picture frames, and routers. It has since become known for generating abnormally large distributed denial-of-service attacks.
More Read
Benjamin Brundage, founder of proxy-tracking startup Synthient and the first researcher to document Kimwolf’s spreading techniques, said the botnet’s operators have been actively experimenting with both I2P and Tor as backup infrastructure against coordinated takedown efforts.
“I don’t think their goal is to take I2P down,” Brundage said. “It’s more they’re looking for an alternative to keep the botnet stable in the face of takedown attempts.”
No widespread disruptions to the Tor network have been reported in connection with Kimwolf’s experiments there.
A Pattern of Collateral Damage
This is not the first time Kimwolf has caused problems beyond its intended targets. Late last year, the botnet created operational headaches for Cloudflare when its operators instructed millions of infected devices to use Cloudflare’s DNS settings, disrupting the company’s infrastructure in the process.
The I2P incident follows a similar pattern: operators pushing the botnet’s scale to its limits, with wider networks absorbing the collateral impact. A graph shared by I2P developers showed a sharp drop in successful connections precisely when Kimwolf began its node-joining attempt, and a separate graph posted by an I2P user on February 10 showed the flood of new routers originating predominantly from the United States.
I2P describes itself as a network that routes data through multiple encrypted layers across volunteer-operated nodes, obscuring both sender and receiver locations. That architecture, designed to resist surveillance and censorship, proved fragile under the weight of a botnet operating at a scale the network was never built to handle.
Photo by Danielle Suijkerbuijk on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
