The Kimwolf Botnet's Impact on Anonymity Network I2P
The Internet of Things (IoT) botnet, Kimwolf, has been causing significant disruptions to The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed for anonymity and secure online interactions. I2P users have been reporting network issues since the Kimwolf botmasters began using it to evade takedown attempts against their control servers.
Kimwolf emerged in late 2025, infecting millions of systems and turning poorly secured IoT devices into relays for malicious traffic and large DDoS attacks. I2P, on the other hand, is a privacy-focused network that enables anonymous communication and data sharing by routing data through multiple encrypted layers across volunteer-operated nodes.
On February 3, I2P users noticed a sudden influx of tens of thousands of routers overwhelming the network, preventing legitimate communication. This surge in new routers joining the network, unable to transmit data, caused the network to become overloaded, making it impossible for users to connect. When asked about the network's status, an I2P user suspected an attack, noting that their physical router froze when the number of connections exceeded 60,000.
The same day, Kimwolf's operators posted on their Discord channel that they had accidentally disrupted I2P while attempting to join 700,000 Kimwolf-infected bots as nodes on the network. This incident was a 'Sybil attack,' where a single entity can disrupt a peer-to-peer network by creating and controlling numerous fake identities.
The number of Kimwolf-infected routers trying to join I2P this week far exceeded the network's normal capacity. I2P typically consists of around 55,000 computers worldwide, but the network's founder, Lance James, revealed that it now has between 15,000 and 20,000 devices daily.
Benjamin Brundage, founder of Synthient, a startup tracking proxy services, noted that Kimwolf's operators have been experimenting with using I2P and Tor as a backup command and control network. However, there have been no recent reports of widespread disruptions in the Tor network.
Kimwolf's impact on Cloudflare's DNS settings was notable, as it instructed infected devices to use Cloudflare's settings, causing control domains associated with Kimwolf to usurp Amazon, Apple, Google, and Microsoft in Cloudflare's ranking of frequently requested websites.
Despite the current challenges, James assured that the I2P network is operating at half its normal capacity and is releasing a new version that should improve stability for users over the next week. Brundage added that Kimwolf's operators have recently alienated some competent developers and operators, leading to a rookie mistake that caused a significant drop in infected systems.
