Kimwolf IoT Botnet Disrupts I2P Anonymity Network in Massive Sybil Attack
The Kimwolf botnet flooded I2P with 700,000 infected IoT devices, causing widespread disruptions in the anonymity network's operations and connectivity.
Kimwolf Botnet Overwhelms I2P Anonymity Network
For the past week, the Kimwolf botnet—a massive IoT-based threat first identified in late 2025—has severely disrupted The Invisible Internet Project (I2P), a decentralized, encrypted network designed for anonymous communication. The outages coincided with the botnet’s operators attempting to use I2P as a fallback command-and-control (C2) infrastructure to evade takedown efforts.
Technical Details of the Attack
Kimwolf, which has infected millions of poorly secured IoT devices (including streaming boxes, digital picture frames, and routers), has been leveraging I2P to maintain resilience against disruption. On February 3, I2P users reported a sudden influx of tens of thousands of new routers overwhelming the network, leading to widespread connectivity failures.
The attack followed a Sybil attack pattern, where a single entity (in this case, the Kimwolf operators) floods a peer-to-peer network with pseudonymous identities to degrade performance. According to Lance James, founder of cybersecurity firm Unit 221B and an early I2P contributor, the network typically consists of 15,000–20,000 active devices—far fewer than the 700,000 Kimwolf-infected nodes attempting to join.
The botnet’s operators openly discussed their actions in a Discord channel, admitting they had unintentionally disrupted I2P while testing it as a C2 backup. Benjamin Brundage, founder of Synthient (a proxy-tracking startup), noted that Kimwolf has also experimented with Tor for similar purposes, though no major Tor disruptions have been reported.
Impact on I2P and Broader Security Concerns
The attack reduced I2P’s operational capacity by roughly 50%, with users reporting connection freezes when network traffic exceeded 60,000 concurrent connections. While the botnet’s primary function is DDoS attacks, its recent pivot to anonymity networks like I2P and Tor highlights a growing trend: botnet operators seeking resilient C2 channels to evade takedowns.
Kimwolf has previously caused issues for Cloudflare, flooding its DNS infrastructure and causing malicious domains to briefly outrank major platforms like Amazon, Apple, Google, and Microsoft in Cloudflare’s traffic rankings.
Current Status and Mitigation Efforts
I2P developers are rolling out a stability update to restore normal operations within the week. Meanwhile, Brundage reported that Kimwolf’s numbers have dropped by over 600,000 infected devices due to internal mismanagement, suggesting the botnet’s operators may lack operational expertise.
"They’re running experiments in production," Brundage said. "The botnet is shrinking, and they don’t seem to know what they’re doing."
For security teams, this incident underscores the risks of IoT botnets exploiting anonymity networks for resilience. Monitoring for unusual I2P/Tor traffic and Sybil attack patterns can help detect similar threats early.