Kimwolf IoT botnet activity disrupting I2P
Malware Activity
Summary
Hide ▲
Show ▼
The Kimwolf botnet disrupted I2P over the past week after operators tried to join 700,000 infected bots as nodes, briefly overwhelming the anonymity network and disrupting user communications. The same botnet had already infected millions of IoT devices, showing how its scale can translate into both malicious traffic and network abuse. The activity matters because Kimwolf was also being used to test backup command-and-control options while defenders tried to contain it.
Related Happenings
Dort-linked DDoS, doxing, and swatting campaign against researchers
Campaign
First: 22.05.2026 00:50
Last: 22.05.2026 00:50
Sources 1
About this happening:
The **Dort**-linked harassment campaign targeted **this author and a security researcher**, using **DDoS, doxing, and swatting** to intimidate the people investigating the operato...
Dort-linked DDoS, doxing, and swatting campaign against researchers
CampaignAbout this happening: The **Dort**-linked harassment campaign targeted **this author and a security researcher**, using **DDoS, doxing, and swatting** to intimidate the people investigating the operato...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware Activity
First: 05.02.2026 19:25
Last: 05.02.2026 19:25
Sources 1
About this happening:
The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...
AISURU/Kimwolf hyper-volumetric DDoS botnet activity
Malware ActivityAbout this happening: The **AISURU/Kimwolf** botnet is a **malware activity** cluster tied to **hyper-volumetric DDoS attacks** and large-scale device conscription. On **2025-12-04**, Cloudflare said i...
Latest development: 20.03.2026 08:25
The U.S. Department of Justice disrupted command-and-control infrastructure used by AISURU, Kimwolf, JackSkid, and Mossad in a court-authorized law-enforcement operation, with support from Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab.
2025 DDoS surge targets telecommunications, service providers, and carriers
Target Trend
First: 05.02.2026 19:25
Last: 05.02.2026 19:25
Sources 1
About this happening:
**Cloudflare** reports that the **2025 DDoS surge** has continued into **Q3 2025**, with the **Aisuru botnet** driving more than **1,300 attacks** in three months and a record pea...
2025 DDoS surge targets telecommunications, service providers, and carriers
Target TrendAbout this happening: **Cloudflare** reports that the **2025 DDoS surge** has continued into **Q3 2025**, with the **Aisuru botnet** driving more than **1,300 attacks** in three months and a record pea...
Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
Campaign
First: 29.01.2026 16:55
Last: 29.01.2026 16:55
Sources 1
About this happening:
The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...
Aisuru/Kimwolf botnet record DDoS campaign against telecommunications and IT companies
CampaignAbout this happening: The **Aisuru/Kimwolf botnet** campaign expanded in **late 2025** with **Kimwolf**, a **DDoS botnet** compiled using the **NDK**, and evidence linking it to **AISURU** through shar...
Latest development: 20.03.2026 02:49
The U.S. Justice Department, with authorities in Canada and Germany, dismantled infrastructure behind Aisuru, Kimwolf, JackSkid and Mossad, seized U.S.-registered domains and virtual servers used in DDoS attacks against DoD Internet addresses, and said the action was intended to prevent further infections and future attacks.
Kimwolf-Dort-Snow ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 26.01.2026 18:11
Last: 26.01.2026 18:11
Sources 1
About this happening:
**Kimwolf** botmasters’ alleged **unauthorized access** to the **Badbox 2.0** control panel now matters because it could let them push malware directly onto devices in a botnet th...
Kimwolf-Dort-Snow ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Kimwolf** botmasters’ alleged **unauthorized access** to the **Badbox 2.0** control panel now matters because it could let them push malware directly onto devices in a botnet th...
Timeline
-
11.02.2026 18:08 1 articles · 3mo ago
I2P users report Kimwolf-driven router flood
Initial DisclosureI2P users began reporting network disruptions after tens of thousands of Kimwolf-infected routers suddenly overwhelmed the decentralized communications network, preventing connections to legitimate nodes. Kimwolf operators also acknowledged that they had accidentally disrupted I2P after trying to join 700,000 infected bots as network nodes.
Show sources
- Kimwolf Botnet Swamps Anonymity Network I2P — krebsonsecurity.com — 11.02.2026 18:08
-
11.02.2026 18:08 2 articles · 3mo ago
I2P rolls out stability improvements during Kimwolf disruption
Mitigation Patch UpdateI2P remained at about half of its normal capacity while a new release rolled out to improve stability after the Kimwolf router influx. Kimwolf operators were also experimenting with I2P and Tor as backup command-and-control infrastructure, and the botnet’s overall numbers reportedly fell by more than 600,000 infected systems after a recent operator mistake.
Show sources
- Kimwolf Botnet Swamps Anonymity Network I2P — krebsonsecurity.com — 11.02.2026 18:08
- Kimwolf Botnet Swamps Anonymity Network I2P — krebsonsecurity.com — 11.02.2026 18:08