For the past week, the massive 'Internet of Things' (IoT) botnet Kimwolf has been disrupting The Invisible Internet Project (I2P), a decentralized, encrypted communications network designed to anonymize and secure online communications. I2P users began reporting disruptions around the same time Kimwolf's botmasters started relying on it to evade takedown attempts against their control servers.
Kimwolf surfaced in late 2025 and quickly infected millions of systems, turning poorly secured IoT devices such as TV streaming boxes, digital picture frames, and routers into relays for malicious traffic and abnormally large distributed denial-of-service (DDoS) attacks.
I2P is a decentralized, privacy-focused network that allows people to communicate and share information anonymously. 'It works by routing data through multiple encrypted layers across volunteer-operated nodes, hiding both the sender’s and receiver’s locations,' the I2P website explains. 'The result is a secure, censorship-resistant network designed for private websites, messaging, and data sharing.'
On February 3, I2P users began complaining on the organization's GitHub page about tens of thousands of routers suddenly overwhelming the network, preventing existing users from communicating with legitimate nodes. Users reported a rapidly increasing number of new routers joining the network that were unable to transmit data, and that the mass influx of new systems had overwhelmed the network.
I2P users complained about service disruptions as a large number of routers suddenly swamped the network. When one I2P user asked if the network was under attack, another replied, 'Looks like it. My physical router freezes when the number of connections exceeds 60,000.' A graph shared by I2P developers showed a marked drop in successful connections on the I2P network around the same time Kimwolf started trying to use it for fallback communications.
The same day I2P users noticed outages, the individuals controlling Kimwolf posted to their Discord channel that they had accidentally disrupted I2P after attempting to join 700,000 Kimwolf-infected bots as nodes on the network. The botmaster openly discussed their actions in a Discord channel with my name on it.
Although known for its potent DDoS capabilities, this week's outages caused by some portion of the botnet trying to join I2P are what’s known as a 'Sybil attack,' where a single entity can disrupt the system by creating and controlling a large number of fake, pseudonymous identities. Indeed, the number of Kimwolf-infected routers that tried to join I2P this past week was many times the network's normal size.
I2P’s Wikipedia page claims it consists of roughly 55,000 computers distributed worldwide, with each participant acting as both a router (to relay traffic) and a client. However, Lance James, founder of the New York City-based cybersecurity consultancy Unit 221B and the original founder of I2P, told KrebsOnSecurity that the entire I2P network now consists of between 15,000 and 20,000 devices on any given day. An I2P user posted a graph on Feb. 10, showing tens of thousands of routers — mostly from the United States — suddenly attempting to join the network.
Benjamin Brundage, founder of Synthient, a startup that tracks proxy services and was the first to document Kimwolf’s unique spreading techniques, said that the Kimwolf operators have been trying to build a command and control network that cannot easily be taken down by security companies and network operators working together to combat the spread of the botnet. Brundage said that people in control of Kimwolf have been experimenting with using I2P and a similar anonymity network — Tor — as a backup command and control network, although there have been no reports of widespread disruptions in the Tor network recently.
‘I don’t think their goal is to take I2P down,’ he said. ‘It’s more they’re looking for an alternative to keep the botnet stable in the face of takedown attempts.’ The Kimwolf botnet created challenges for Cloudflare late last year when it began instructing millions of infected devices to use Cloudflare's domain name system (DNS) settings, causing control domains associated with Kimwolf to repeatedly usurp Amazon, Apple, Google, and Microsoft in Cloudflare’s public ranking of the most frequently requested websites. James said the I2P network is still operating at about half of its normal capacity, and that a new release rolling out should bring some stability improvements.