Last week, a large “Internet of Things” (IoT) botnet known as Kimwolf it has been disturbing The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure Internet communications. I2P users began reporting disruptions to the network at the same time Kimwolf botmasters began relying on it to avoid takedown attempts against the botnet’s control servers.
Kimwolf is a bot that appeared in late 2025 and quickly infected millions of systems, turning poorly secured IoT devices such as television set-top boxes, digital picture frames and routers into malicious traffic relays and unusually large distributed denial-of-service (DDoS) attacks.
I2P is a decentralized, privacy-oriented network that allows people to communicate and share information anonymously.
“It works by transmitting data through multiple layers of encryption across all voluntary interfaces, hiding both the sender and receiver locations,” the I2P website explains. “The result is a secure, censorship-resistant network designed for private websites, messaging, and data sharing.”
On February 3, I2P users began to complain on the organization’s GitHub page about the tens of thousands of routers that appeared to overwhelm the network, preventing existing users from connecting to legitimate nodes. Users reported a rapidly increasing number of new routers joining the network that were unable to transmit data, and that the massive influx of new systems filled the network to the point where users could no longer connect.
I2P users are complaining about service interruptions from the rapidly increasing number of routers that are simply congesting the network.
When one I2P user asked if the network was under attack, another user replied, “It seems so. My router freezes when the number of connections is over 60,000.”
A graph shared by I2P developers showing a marked drop in successful connections to the I2P network when the Kimwolf botnet began trying to exploit the network in reverse.
On the same day that I2P users first noticed the outage, the people who run Kimwolf posted on their Discord channel that they accidentally disrupted I2P after trying to join 700,000 Kimwolf-infected bots as nodes in the network.
The Kimwolf botmaster openly discusses what they are doing with the botnet on a Discord channel with my name on it.
Although Kimwolf is known as a powerful weapon for launching DDoS attacks, the outage caused this week by a part of a botnet trying to join I2P is what is known as a “Sybil attack,” a threat to peer-to-peer networks in which a single organization can disrupt the system by creating, controlling, and using dozens of fake identities.
Indeed, the number of Kimwolf infected routers that tried to join I2P this past week was several times the average size of the network. The Wikipedia page for I2P states that the network consists of approximately 55,000 computers distributed around the world, with each acting as a router (forwarding traffic) and a client.
However, Lance Jamesfounder of New York City-based Cybersecurity consultancy Unit 221B and the original founder of I2P, told KrebsOnSecurity that the entire I2P network now contains between 15,000 and 20,000 devices on any given day.
User I2P posted this graph on Feb. 10, showing tens of thousands of routers – mostly from the United States – suddenly trying to join the network.
Benjamin Brundage is the founder of Synthient, a startup that tracks proxy services and was the first to document Kimwolf’s unique distribution strategy. Brundage said the Kimwolf operator was trying to build a command and control network that could not be easily taken down by security companies and network operators working together to combat the spread of the botnet.
Brundage said the people who control Kimwolf have been trying to use I2P and a similar anonymity network – Tor – as a backup command and control network, although there have been no reports of widespread disruptions to the Tor network recently.
“I don’t think their intention is to slow down I2P,” he said. “What’s more they want another way to keep the botnet stable in the face of takedown efforts.”
The Kimwolf botnet created challenges for Cloudflare late last year when it began instructing millions of infected devices to use Cloudflare’s domain name server (DNS) settings, causing control domains associated with Kimwolf to be compromised repeatedly. Amazon, an apple, Google again Microsoft in Cloudflare’s public ranking of the most requested websites.
James said the I2P network is still operating at about half its normal capacity, and that new releases are underway that should bring stability improvements next week to users.
Meanwhile, Brundage said the good news is that Kimwolf’s management appears to have recently fired some of its most talented developers, leading to a rookie error last week that caused the botnet’s numbers to drop by more than 600,000 infected systems.
“It seems like they’re just testing things, like doing tests in production,” he said. “But botnet numbers are going down a lot now, and it seems like they don’t know what they’re doing.”
