The decentralized, encrypted communications network I2P experienced significant disruptions over the past week as the massive Kimwolf botnet attempted to leverage the platform. Security researchers have identified this as a large-scale Sybil attack, where a single entity floods a peer-to-peer network with fake identities to overwhelm legitimate users. The incident highlights the ongoing challenges faced by anonymity networks in defending against malicious actors seeking to exploit their infrastructure.
Kimwolf, an “Internet of Things” (IoT) botnet that surfaced in late 2025, has rapidly infected millions of devices – including TV streaming boxes, digital picture frames, and routers – turning them into relays for malicious traffic and large-scale distributed denial-of-service (DDoS) attacks. I2P, designed to anonymize and secure online communications by routing data through multiple encrypted layers across volunteer-operated nodes, became a target as the botnet’s operators sought alternative command and control (C2) channels.
The disruptions began on February 3rd, with I2P users reporting tens of thousands of new routers suddenly overwhelming the network, preventing connections. One user reported their router freezing when the number of connections exceeded 60,000. The influx of traffic was far beyond the network’s normal capacity. According to Lance James, founder of cybersecurity consultancy Unit 221B and the original founder of I2P, the network typically consists of between 15,000 and 20,000 devices, a figure significantly lower than the approximately 700,000 bots Kimwolf attempted to onboard.
Remarkably, the Kimwolf operators openly acknowledged in their Discord channel that the I2P disruption was accidental, occurring while they were attempting to integrate the 700,000 infected devices as network nodes. This admission provides insight into the botnet’s operators’ efforts to build a resilient C2 infrastructure, less susceptible to takedown attempts by security companies and network operators.
Sybil Attack and the Search for Resilience
The tactic employed by Kimwolf – flooding I2P with a massive number of controlled nodes – is known as a Sybil attack. This type of attack is particularly effective against peer-to-peer networks like I2P, where trust and reputation are crucial for maintaining network integrity. By controlling a disproportionate number of nodes, an attacker can disrupt legitimate traffic and potentially compromise the anonymity of the network. Benjamin Brundage, founder of Synthient, a startup tracking proxy services, noted that the Kimwolf operators are actively seeking command and control methods that are resistant to disruption. Brundage was the first to document Kimwolf’s unique spreading techniques.
While I2P was the initial target, the Kimwolf operators have also been experimenting with Tor, another prominent anonymity network, as a potential backup C2 channel. However, there have been no recent reports of widespread disruptions to the Tor network. “I don’t think their goal is to take I2P down,” Brundage said. “It’s more they’re looking for an alternative to keep the botnet stable in the face of takedown attempts.”
This isn’t the first time Kimwolf has caused headaches for internet infrastructure providers. Late last year, the botnet instructed millions of infected devices to apply Cloudflare’s domain name system (DNS) settings, causing control domains associated with Kimwolf to temporarily outrank major websites like Amazon, Apple, Google, and Microsoft in Cloudflare’s public rankings.
Current Status and Future Outlook
As of February 16, 2026, the I2P network is operating at roughly half of its normal capacity, according to James. A new release is currently being rolled out, aimed at improving network stability for users. Interestingly, Brundage reports that recent internal conflicts within the Kimwolf operation, leading to the departure of experienced developers, may have contributed to a “rookie mistake” that resulted in a 600,000-device reduction in the botnet’s size. “It seems like they’re just testing stuff, like running experiments in production,” Brundage observed. “But the botnet’s numbers are dropping significantly now, and they don’t seem to realize what they’re doing.”
The Kimwolf botnet’s attempt to exploit I2P underscores the constant arms race between threat actors and the defenders of anonymity networks. While the immediate disruption to I2P appears to be subsiding, the incident serves as a stark reminder of the vulnerabilities inherent in decentralized systems and the need for ongoing vigilance and innovation in cybersecurity. The situation remains fluid, and continued monitoring of both Kimwolf and I2P is crucial.
What are your thoughts on the future of anonymity networks in the face of increasingly sophisticated botnet attacks? Share your insights in the comments below.
