The Invisible Internet Project (I2P), a network designed for anonymous and secure communication, has been significantly disrupted over the past week by the Kimwolf botnet, a massive collection of compromised Internet of Things (IoT) devices. The disruptions began around February 3rd, coinciding with attempts by the botnet’s operators to leverage I2P to evade efforts to dismantle their infrastructure, according to reports from I2P users and security researchers.
Kimwolf, which surfaced in late 2025, has rapidly infected millions of devices – including TV streaming boxes, digital picture frames, and routers – transforming them into relays for malicious traffic and launching large-scale distributed denial-of-service (DDoS) attacks. The botnet’s size and reach became apparent late last year when it briefly surpassed Google in Cloudflare’s ranking of most frequently requested websites by instructing infected devices to utilize Cloudflare’s DNS settings.
I2P functions by routing data through multiple encrypted layers across volunteer-operated nodes, obscuring the locations of both the sender and receiver. The network, comprised of roughly 15,000 to 20,000 devices globally according to I2P founder Lance James, is intended to provide a secure, censorship-resistant platform for private websites, messaging, and data sharing. However, the recent influx of tens of thousands of routers attempting to join the network overwhelmed its capacity.
I2P users first reported the issues on the organization’s GitHub page, noting that a surge of novel routers, unable to transmit data, were freezing systems and preventing legitimate connections. One user reported their router freezing when the number of connections exceeded 60,000. The Kimwolf botmasters themselves acknowledged the disruption in a Discord channel, stating they had inadvertently impacted I2P while attempting to add 700,000 infected bots as nodes.
Security experts describe the Kimwolf’s actions as a “Sybil attack,” where a single entity attempts to control a peer-to-peer network by creating numerous fake identities. Benjamin Brundage, founder of Synthient, a firm tracking proxy services, explained that the Kimwolf operators are seeking a resilient command and control network that can withstand takedown attempts. Brundage added that the group has as well been experimenting with Tor, another anonymity network, as a potential backup, though no widespread disruptions to Tor have been reported.
While Kimwolf is known for its DDoS capabilities, the attempt to utilize I2P represents a shift in tactics. Brundage noted a recent development within the Kimwolf operation: a series of missteps by key developers and operators have led to a reduction of over 600,000 infected systems. “It seems like they’re just testing stuff, like running experiments in production,” he said. “But the botnet’s numbers are dropping significantly now, and they don’t seem to know what they’re doing.”
James stated that the I2P network is currently operating at roughly half its normal capacity, with a new release underway intended to improve stability over the coming week. The network remains operational, but the incident highlights the vulnerability of anonymity networks to exploitation by large-scale botnets seeking to conceal their operations.
