For the past week, the Invisible Internet Project (I2P), a decentralized network designed to anonymize online communications, has been experiencing severe disruptions. The source of the problem has been traced to the massive "Kimwolf" Internet of Things (IoT) botnet, whose operators have begun leveraging the anonymity network to hide their command-and-control infrastructure. This incident underscores a critical conflict: privacy-enhancing technologies can be co-opted by malicious actors, threatening the very networks they aim to protect. The Kimwolf botnet, which emerged in late 2025, has infected millions of poorly secured IoT devices—such as streaming boxes, digital picture frames, and routers—transforming them into relays for malicious traffic and powerful distributed denial-of-service (DDoS) attacks.
I2P functions by routing user data through multiple encrypted layers across a global network of volunteer-operated nodes, effectively obscuring the locations of both senders and receivers. This architecture is designed to create a secure, censorship-resistant environment for private websites, messaging, and file sharing. However, beginning around February 3, users began reporting a massive, sudden influx of new routers—tens of thousands of them—joining the network. These new nodes, later identified as devices enslaved by the Kimwolf botnet, were unable to transmit legitimate data. Instead, they overwhelmed the network's peer discovery and routing mechanisms, preventing existing, legitimate users from establishing stable connections. On the project's GitHub page, users described their physical routers freezing as connection counts skyrocketed past 60,000, a clear indicator of a resource exhaustion attack.
The botnet's migration to I2P appears to be a strategic evasion tactic. Security researchers analyzing Kimwolf believe its operators are using the anonymity network to proxy traffic to their hidden command servers, making traditional takedown efforts based on IP address blocking significantly more difficult. By flooding I2P with their compromised nodes, the botmasters are not only hiding their own operations but also degrading the service for legitimate privacy-seeking users. This creates a paradoxical and damaging situation where a tool built for protection is weaponized to enable further criminal activity, while simultaneously crippling its core functionality.
This event serves as a stark warning about the fragility of decentralized anonymity networks and the pervasive threat of insecure IoT ecosystems. The scale of the Kimwolf botnet, built from millions of commoditized devices with default credentials, demonstrates the immense offensive power available to adversaries. For projects like I2P, mitigating such attacks is exceptionally challenging due to their open and permissionless nature, which is fundamental to their censorship-resistant design. The long-term solution requires a multi-pronged approach: IoT manufacturers must be held to higher security standards, while anonymity network developers may need to explore more robust peer-validation mechanisms that can resist large-scale sybil attacks without compromising their core privacy guarantees.
