Kimwolf Botnet Swamps Anonymity Community I2P – Krebs on Safety

For the previous week, the huge “Web of Issues” (IoT) botnet generally known as Kimwolf has been disrupting The Invisible Web Challenge (I2P), a decentralized, encrypted communications community designed to anonymize and safe on-line communications. I2P customers began reporting disruptions within the community across the similar time the Kimwolf botmasters started counting on it to evade takedown makes an attempt in opposition to the botnet’s management servers.

Kimwolf is a botnet that surfaced in late 2025 and rapidly contaminated tens of millions of programs, turning poorly secured IoT units like TV streaming containers, digital image frames and routers into relays for malicious site visitors and abnormally large distributed denial-of-service (DDoS) assaults.

I2P is a decentralized, privacy-focused community that permits individuals to speak and share data anonymously.

“It really works by routing knowledge via a number of encrypted layers throughout volunteer-operated nodes, hiding each the sender’s and receiver’s places,” the I2P website explains. “The result’s a safe, censorship-resistant community designed for personal web sites, messaging, and knowledge sharing.”

On February 3, I2P customers started complaining on the organization’s GitHub page about tens of hundreds of routers all of the sudden overwhelming the community, stopping current customers from speaking with respectable nodes. Customers reported a quickly rising variety of new routers becoming a member of the community that had been unable to transmit knowledge, and that the mass inflow of recent programs had overwhelmed the community to the purpose the place customers might not join.

I2P customers complaining about service disruptions from a quickly rising variety of routers all of the sudden swamping the community.

When one I2P consumer requested whether or not the community was below assault, one other consumer replied, “Seems prefer it. My bodily router freezes when the variety of connections exceeds 60,000.”

A graph shared by I2P builders displaying a marked drop in profitable connections on the I2P community across the time the Kimwolf botnet began attempting to make use of the community for fallback communications.

The identical day that I2P customers started noticing the outages, the individuals in control of Kimwolf posted to their Discord channel that that they had by chance disrupted I2P after trying to hitch 700,000 Kimwolf-infected bots as nodes on the community.

The Kimwolf botmaster overtly discusses what they’re doing with the botnet in a Discord channel with my title on it.

Though Kimwolf is named a potent weapon for launching DDoS assaults, the outages triggered this week by some portion of the botnet trying to hitch I2P are what’s generally known as a “Sybil attack,” a risk in peer-to-peer networks the place a single entity can disrupt the system by creating, controlling, and working numerous faux, pseudonymous identities.

Certainly, the variety of Kimwolf-infected routers that attempted to hitch I2P this previous week was many occasions the community’s regular dimension. I2P’s Wikipedia page says the community consists of roughly 55,000 computer systems distributed all through the world, with every participant performing as each a router (to relay site visitors) and a shopper.

Nonetheless, Lance James, founding father of the New York Metropolis based mostly cybersecurity consultancy Unit 221B and the unique founding father of I2P, informed KrebsOnSecurity your complete I2P community now consists of between 15,000 and 20,000 units on any given day.

An I2P consumer posted this graph on Feb. 10, displaying tens of hundreds of routers — principally from the US — all of the sudden trying to hitch the community.

Benjamin Brundage is founding father of Synthient, a startup that tracks proxy providers and was the primary to document Kimwolf’s unique spreading techniques. Brundage mentioned the Kimwolf operator(s) have been attempting to construct a command and management community that may’t simply be taken down by safety corporations and community operators which can be working collectively to fight the unfold of the botnet.

Brundage mentioned the individuals answerable for Kimwolf have been experimenting with utilizing I2P and an analogous anonymity community — Tor — as a backup command and management community, though there have been no experiences of widespread disruptions within the Tor community just lately.

“I don’t assume their objective is to take I2P down,” he mentioned. “It’s extra they’re in search of a substitute for preserve the botnet secure within the face of takedown makes an attempt.”

The Kimwolf botnet created challenges for Cloudflare late final yr when it started instructing tens of millions of contaminated units to make use of Cloudflare’s area title system (DNS) settings, inflicting management domains related to Kimwolf to repeatedly usurp Amazon, Apple, Google and Microsoft in Cloudflare’s public rating of probably the most often requested web sites.

James mentioned the I2P community continues to be working at about half of its regular capability, and {that a} new launch is rolling out which ought to convey some stability enhancements over the subsequent week for customers.

In the meantime, Brundage mentioned the excellent news is Kimwolf’s overlords seem to have fairly just lately alienated a few of their extra competent builders and operators, resulting in a rookie mistake this previous week that triggered the botnet’s total numbers to drop by greater than 600,000 contaminated programs.

“It looks like they’re simply testing stuff, like working experiments in manufacturing,” he mentioned. “However the botnet’s numbers are dropping considerably now, they usually don’t appear to know what they’re doing.”