Anonymity Network I2P Overrun By Kimwolf Botnet
Last week, a massive network of hacked devices (a botnet) accidentally crashed one of the world's most important privacy tools while trying to use it as a hideout. This mishap revealed two things:
The growing scale of modern cyber threats
the fragility of the tools designed to protect online anonymity.
Under Siege
For the past week, users of The Invisible Internet Project—better known as I2P—have been unable to access the network they rely on for private, anonymous communication.
I2P is a decentralized privacy network that allows people to browse, share files, and communicate without revealing their identities or locations. Think of it as the internet's equivalent of a secret tunnel system, where your messages bounce through multiple encrypted pathways before reaching their destination, making it nearly impossible to trace who's talking to whom.
Unlike the regular internet, where your internet service provider can see what websites you visit, I2P routes all traffic through volunteer-operated computers called "nodes." Each piece of data gets wrapped in multiple layers of encryption (kind of like nesting dolls), and each node only knows where to send it next—not where it came from originally or where it's ultimately going. This design makes I2P popular with privacy advocates, journalists in repressive countries, and anyone who needs to communicate without surveillance.
On any given day, about 15,000 to 20,000 computers around the world participate in the I2P network. It's a relatively small community compared to the mainstream internet, which makes what happened on February 3rd all the more devastating.
Kimwolf: A Botnet with Millions of Soldiers
The source of I2P's problems was a cybercriminal operation called Kimwolf.
Kimwolf first appeared in late 2025 and quickly became one of the largest botnets in recent history, infecting millions of poorly secured "Internet of Things" (IoT) devices. These are everyday consumer electronics that connect to the internet but often have weak security: cheap streaming boxes, home routers with default passwords, and smart home devices that rarely receive security updates.
What makes Kimwolf particularly dangerous is how cybercriminals use it. The botnet's primary weapon is the distributed denial-of-service attack (DDoS).
In a DDoS attack, hackers command their army of infected devices to simultaneously flood a target website or service with so much traffic that it crumbles under the load and becomes unavailable to legitimate users.
Kimwolf has launched some of the largest DDoS attacks on record, leveraging its millions of compromised devices to generate overwhelming amounts of malicious traffic.
The Accidental Attack
On February 3rd, I2P users began reporting widespread connection problems. The network's discussion forums on GitHub were filled with complaints. Users reported seeing tens of thousands of new "routers" (I2P's term for participating computers) suddenly flooding the network. One user described their home router freezing when connections exceeded 60,000—far beyond normal levels.
What was happening became clear when the operators of Kimwolf bragged about it in their own Discord chat channel. The Kimwolf controllers openly discussed how they had attempted to connect 700,000 of their infected devices to I2P as nodes.
Why would botnet operators want to join a privacy network?
The answer lies in the constant cat-and-mouse game between cybercriminals and security researchers. When security companies identify the servers that control a botnet (called "command and control" servers), they can work with internet service providers to shut them down. This cuts off the hackers' ability to issue instructions to their infected devices.
The Kimwolf operators were trying to build a backup control system that couldn't be easily taken down. By using I2P's encrypted, decentralized network, they hoped to create communication channels with their botnet that would be nearly impossible for security companies to block or monitor.
Death by Overcrowding
The problem was that I2P simply wasn't designed to handle this kind of massive influx. Remember, the entire network normally consists of 15,000 to 20,000 computers. When 700,000 Kimwolf-infected devices tried to join simultaneously, it was simply too much. The network becomes so flooded with these bogus participants that legitimate users can't find or connect to real nodes.
According to Lance James, the original founder of I2P and currently a cybersecurity consultant, the attack brought I2P down to about half its normal operating capacity. Graphs shared by I2P developers showed a dramatic spike in connection attempts—mostly from devices located in the United States—right when the problems began.
The Bigger Picture
Benjamin Brundage, founder of cybersecurity startup Synthient, emphasizes that the Kimwolf operators weren't trying to destroy I2P—they were just recklessly experimenting.
"I don't think their goal is to take I2P down," Brundage explained. "It's more they're looking for an alternative to keep the botnet stable in the face of takedown attempts."
This isn't Kimwolf's first brush with causing unintended chaos. Late last year, the botnet created headaches for Cloudflare, a major internet infrastructure company, when it instructed millions of infected devices to use Cloudflare's domain name system (DNS) settings. The sudden surge caused Kimwolf-related domains to repeatedly appear in Cloudflare's ranking of most-requested websites, surpassing tech giants like Amazon, Google, and Microsoft.
A Silver Lining
While the I2P disruption showcases the immense power of modern botnets, there's some good news. According to Brundage, the Kimwolf operators appear to have recently alienated some of their more skilled developers and technical operators. This led to a major blunder last week that caused the botnet to lose more than 600,000 infected devices.
"It seems like they're just testing stuff, like running experiments in production," Brundage said, comparing the operators' approach to a software company carelessly testing new features on their live systems rather than in a controlled environment. "But the botnet's numbers are dropping significantly now, and they don't seem to know what they're doing."
I2P developers are rolling out updates to improve the network's stability and resilience. The network is gradually recovering, though it will likely take another week for full functionality to return.
