19 May 2026
– The underlying forces that enabled Kimwolf to spiral out of control
Back in the time, infrastructure and content providers developed viable mechanisms to keep their infrastructure protected from unwanted and malicious traffic. The basic mechanism was, and still is, to identify which network addresses and providers were sourcing undesired traffic and blocking such activity. The effort also implies to identify the abusers and to fight them by both technical and legal means.
Convincing “grey providers” that their behavior was not widely recognized as acceptable, as a teacher during a break in kindergarten, helped us for some decades to enjoy a delicate balance between an open and unrestricted Internet and being mistreated by cybercrime.
There has been always a tension between regulation and legal enforcement and the beauty of mutual respect and co-responsibility in the Internet. For those no so young, you might remember the times when enforcement was a matter of “netiquette“.
With the rapid expansion of VPN providers more than a decade ago, content providers like Qurium were forced to improve the detection mechanisms to keep abusers away. Most of the VPN providers operated from datacenters and it was possible to map abusing behavior to somehow stable infrastructure.
In the past decades we have witness how “VPN offerings” have tampered which each viable mechanisms to flag malicious behavior. Rotating IP addresses, tampering with geographical information, registering providers in offshore jurisdictions, operating dozens of brands, leasing in and out IP space, etc. When it comes to abuse, there is always some smart entrepreneurs investing time to discover new ways to enable cybercrime. After all, that is where more money is.
The last round of innovation, came from “residential proxies”, which are VPN providers that use computing power not strictly located in datacenters. Historically, Residential Proxies have gained access to thousands if not millions of addresses using all sort of creative mechanisms from embedding their code into mobile applications to creating a market place of proxy suppliers. Residential providers claim that million of users have consented to offer their Internet connection for the greater good of the Internet.
In a non surprising move in the past years, residential proxy providers have successfully split the service offering from the activities of obtaining the proxies themselves. After all, the device harvesting remains the most questionable practice in the whole industry. Policy language was also added to the industry with flawed by design known-your-customer practices.
The reality is that residential proxies is the largest security challenge we are currently facing. Dozens of attacks against our infrastructure have been originated in residential proxy providers including volumetric application layers attacks, heavy pen tests, intrusion attempts or non-consented scraping. When we managed to successfully back trace the attacks to the residential providers that included for example Rapidseed Box, Bright Data (Luminati), Rayobyte, Plain Proxies, Oxylabs or Fine Proxy we obtained similar response to our reporting: “thanks for reporting, we are ethical providers, leave us alone”.
Kimwolf, a warning for the future to come.
The reader might remember how Mirai, a botnet created ten years ago by Paras Jha and his friends Josiah White and Dalton Norman, was built by mostly compromising vulnerable routers and improving their existing botnet (Qbot). In a smart move to dodge accountability, Anna-Sempai (Jha) dumped the code of Mirai so that others could run their own version. For their wrong doing the trio got 5 years probation but no prison.
Kimwolf shares many of the elements with Mirai and it is the latest example of what happens when people with enough free time discover that they can have both fun and make money from taking over someone else infrastructure. In this case, Kimwolf took over parts of IPIDEA infrastructure, a Chinese supplier of proxies vastly used by cybercriminals.
The youngsters in question (aka Dort, Zerlokk and Snow), full of racist and homophobic hormones, included Jacob Butler, Oliver Bates (Canada) and Philip (Germany). We hope that they will not join the large list of FBI collaborators who makes a deal with the FBI (like in the movies) and gets away with “community work”. The Mirai trio got away with 11 months of “community work” – no prison. What message does such an arrangement send to future cyber criminals?
Kimwolf and its older sibling Aisiru became known to us in November 2025, when we analyzed several denial of service attacks targeting independent media websites.
It turned out that Kimwolf was built taking advantage of the infrastructure offered by IPIDEA, a Chinese proxy provider that build its pool of addresses by embedding code in million of uncertified Android devices and adding to its pool addresses from the Badbox 2.0 botnet.
Our creative youngsters discovered several means to use IPIDEA to gain access to more devices for their own proxy network. As things went out of control, several industry actors including Google decided to take actions and disrupt several elements of IPIDEA including their brands: 360Proxy, 922Proxy, ABC Proxy, Cherry Proxy, IP2World, IPidea.io, LunaProxy, PIA S5 Proxy, PyProxy, and TabProxy
Unfortunately, the future does not look very promising as a result of a wild market place for residential proxies. While great efforts are currently done to map technically the ecosystem the main challenge remains, how we will be able to detect and attribute abuse behavior online. Something is assured many will have to suffer the effects of a wild wide web.
This is not about Kimwolf
Hundreds of pages and dozens of reports have been written about Kimwolf, not surprising every time that a Denial of service attack breaks a traffic volume record, a new headline is made: record breaking botnet, largest botnet in human history, etc.
What’s more interesting isn’t the capabilities of KimWolf botnet, but what it represents: a visible tipping point. Kimwolf it is what happens when a fragmented, compromised ecosystem finally spirals out of control. It wasn’t a surprise; it was inevitable.
We will try to summarize it.
It started quietly, almost invisibly, back in 2016, when Triada malware surfaced, a piece of malware so deeply embedded it didn’t just infect apps, it lived inside the Android operating system itself. At first, it was just a clever trick: persistent access, silent installs, a foothold no user could see. But like the first turn of a spiral, it set something in motion.
By 2019 to 2023, that spiral widened. Chinese operations like Lemon Group realized the real power wasn’t in hacking devices, it was in selling them already compromised. Factory lines became infection points. Cheap Android boxes and phones left warehouses not just as products, but as assets. Ads were injected, clicks were faked, traffic was quietly routed. Money flowed. The system worked and no wonder Google and others worried about the stolen advertisement revenue.
Then came the industrial phase. Around 2022, the ecosystem crystallized into what became known as BADBOX, and soon after, BADBOX 2.0 (2023–2025). In this period of time multiple attempts both legal and technical were implemented to shutdown the infrastructure. They failed.
But Badbox, it wasn’t just one group, it was a marketplace. Different players took roles: LongTV handled preinstalled launchers and command channels, SalesTracker-style affiliates pushed monetization schemes, proxy operators like IPMOYU turned devices into residential exit nodes. It was messy, but controlled like a black-market economy with its own rules. The spiral was still tightening, but it hadn’t broken.
And then, late 2025.
That’s when the system slipped.
Not because the original operators lost interest but because others found the door. The same backdoors, SDK hooks, exposed services, smart DNS tricks and weak update paths that made the ecosystem profitable also made it accessible. And this time, it wasn’t organized syndicates stepping in.
A wave of smaller actors began tapping into the same exposed ecosystem: loosely coordinated, opportunistic, sometimes just technically savvy kids who realized the hard work had already been done for them. They weren’t building botnets from scratch they were discovering an already-compromised planet of devices and figuring out how to bend it to their own use.
Botnets like Aisuru botnet, KimWolf botnet, and JackSkid didn’t build this world—they inherited it. Or more accurately, they broke into it. Leveraging infrastructure tied to residential proxy provider IPIDEA, they began to repurpose the same devices. This time no longer just for ad fraud or quiet proxying, but for loud, aggressive DDoS attacks.
That’s when the spiral snapped.
What had once been a semi-coordinated ecosystem built for profit, optimized for stealth turned into something chaotic. Multiple actors, overlapping control, competing uses. Devices caught in the middle, switching roles depending on who reached them first. A supply chain turned battlefield.
In the end, this isn’t the story of a single group or a single malware strain. It’s the story of how a tightly controlled grey-market ecosystem, born in the Chinese manufacturing and software supply chain, spun outward until it lost control of itself. Triada started the motion. Lemon Group, IpMoYu and BADBOX scaled it. But by late 2025, the spiral had widened so far that anyone with the skill and the curiosity could step in and take a piece.
Take KimWolf botnet as an example. Its operators didn’t just use the botnet for attacks, they monetized it by plugging into the same proxy economy that had grown out of that ecosystem. On infected devices, investigators found SDK-style components consistent with frameworks like ByteConnect, effectively turning those machines into proxy nodes. ByteConnect acts as a proxy enabler, provides the mechanism to enroll devices, route traffic, and expose them for resale.
That’s where the loop closes: those proxy nodes can then surface in commercial networks such as Plain Proxies, appearing as ordinary residential proxy services. What looks like a clean, legitimate product on the outside is, underneath, powered by the same compromised device pool. The spiral completes itself malware becomes infrastructure, infrastructure becomes a product, and new actors simply plug in and profit.
Appendix
Much of the research on botnets, proxy networks, and Android malware ecosystems presented in this article exists in isolation. The information is spread across court filings, vendor reports, and independent investigations.
The table below brings these threads together. It correlates:
- FBI and DOJ disclosures on Mirai-based botnets (Aisuru, KimWolf, JackSkid, Mossad)
- Industry research from Nokia Deepfield, XLab, Google, and others
- Investigative reporting (notably KrebsOnSecurity) on Triada, BADBOX, and related supply-chain activity.
The goal of this effort is to surface structural relationships including:
- How DDoS botnets interact with proxy monetization layers
- How Android supply-chain malware feeds into those ecosystems
- Where infrastructure, tooling, or actors appear to overlap
| Family/Service | Dates | Type | Actors/Handles | Real Identities/Entities | Infra/Providers | Relationship/Notes | References |
|---|---|---|---|---|---|---|---|
| Triada (early) | 2016- | Android malware platform | Yehuo; Blazefire (reported) | Chinese supply-chain vendor (unnamed) | Firmware/system partition; Zygote injection | Root Android backdoor; foundation for later supply-chain abuse | 10;11;14 |
| Triada (supply-chain) | 2017-2019 | Preinstalled malware | Yehuo; Blazefire | Chinese OEM/vendor ecosystem | Preinstalled on low-cost Android devices | Shift to supply-chain compromise model | 10;11 |
| Triada (system backdoor) | 2019- | Persistent loader | Same actors (assumed continuity) | Chinese-linked vendor ecosystem | System partition persistence | Loader platform enabling BADBOX | 10;11;14 |
| BADBOX 1.0 | 2023-2024 | Android fraud/proxy botnet | SalesTracker Group; MoYu Group; Lemon Group | Backdoored Android TV/AOSP devices; C2 servers | Triada-derived loader; proxy + ad fraud | 7;8;9 | |
| BADBOX 2.0 | 2025- | Expanded fraud/proxy botnet | SalesTracker; MoYu; Lemon; LongTV; Does 1–25 (Google lawsuit) | Global Android devices; proxy infra; malicious apps | Evolution of BADBOX; millions of devices; proxy monetization | 7;8;9;15 | |
| AstroLink (BADBOX 2.0) | ~2024- | Infra/business entity | Beijing Astrolink Wireless Digital Technology Co. Ltd.; Chen Daihai; Guilin Huang; Zhu Zhiyu | Hosting; backend infra; supply chain. IPIDEA Proxy | Krebs-attributed BADBOX-linked entity; OSINT attribution | 16 | |
| Aisuru | 2024-2026 | DDoS botnet | Forky; Snow | Snow = Philip (Germany); Forky (Brazil, believed) | DNS TXT C2; IoT DVRs; VPS | Core Mirai-derived botnet; overlaps KimWolf/JackSkid | 1;2;3 |
| KimWolf | 2025-2026 | DDoS + proxy botnet | Snow/Lucy; Dort; Zerlokk | Philip (DE); Jacob Butler (CA); Oliver Bates/OliKing800 (CA) | DigitalOcean; multi-stage C2; NL backend. IPIDEA overlap. Byteconnect SDK | Bridge between DDoS and proxy ecosystems; residential proxy use | 1;2;4;12 |
| JackSkid (RCtea) | 2025-2026 | DDoS botnet | JackSkid | Gen XYZ; Namecheap; Verisign domains | Shares infra with Aisuru; domain-based C2 | 1;2;3 | |
| Mossad/MossadProxy | 2026 | DDoS botnet | Snow | Philip (Germany) | Verisign domains; RU hosting | Likely Snow fork after split with KimWolf partners | 1;2;3 |
| Cecilio | 2026 | DDoS botnet (adjacent) | OpenNIC/custom C2. Related ecosystem per Nokia; not core DOJ target | 3 |
|||
| RapperBot | 2021-2025 | DDoS-for-hire botnet | Ethan Foltz (USA) | IoT botnet infra | Competitor/collaborator with Aisuru; code lineage influence | 1;13 | |
| IPIDEA | 2024-2026 | Residential proxy network | China-based proxy ecosystem | Proxy SDKs; VPN apps; backend infra | Used by 550+ threat groups; overlaps BADBOX/KimWolf ecosystems | 5;6;12 | |
| ByteConnect | 2025-2026 | Proxy SDK | ByteConnect (brand) Plain Proxies (service) | Nir Levi Triple Hitch Tech Ltd. · Company Relation1xK BeteiligungsgesellschaftmnH. Friedrich Kräft | SDK embedded in apps/devices | Used in KimWolf nodes; distributed via proxy ecosystem | 4;12 |
| PlainProxies | 2025-2026 | Proxy provider | Proxy business entity Friedrich Kräft | Residential/datacenter proxy network | Linked to ByteConnect distribution; proxy monetization layer | 12;16 | |
| Maskify | 2026 | Proxy/DDoS service | Maskify (brand) | Web panel; rented infra | Service layer selling proxy/botnet access | 12;16 | |
| 3XK Tech GmbH | 2026 | Company (OSINT context) | German company connected with Plain Proxies | Business/proxy ecosystem | Appears in Krebs and Qurium research cluster | 16 | |
| ResHydra (Android Device Ecosystem) | 2024- | Android device ecosystem (proxy + botnet supply) | Vo1d; Bigpanzi; Pandora; Keenadu | Cheap Android TV / AOSP devices; firmware backdoors; ADB exposure; residential IP pools | Nokia Deepfield describes “ResHydra” as a shared pool of compromised residential devices | 3;4;10;14 |
References
[1] FBI / DCIS Affidavit – Seizure of Botnet Infrastructure (Aisuru, KimWolf, JackSkid, Mossad)
https://www.justice.gov/ (Filed case: 3:26-mj-00134-MMS – District of Alaska)
[2] U.S. Department of Justice – Authorities Disrupt World’s Largest IoT DDoS Botnets Responsible for Record-Breaking Attacks
https://www.justice.gov/usao-ak/pr/authorities-disrupt-worlds-largest-iot-ddos-botnets-responsible-record-breaking-attacks
[3] Nokia Deepfield – Breaking a Botnet DDoS Enigma Code
https://www.nokia.com/blog/breaking-a-botnet-ddos-enigma-code/ | https://github.com/deepfield
[4] XLab (Qianxin) – KimWolf Botnet Analysis Report
https://blog.xlab.qianxin.com/kimwolf-botnet-en/
[5] Synthient – A Broken System Fueling Botnets
https://synthient.com/blog/a-broken-system-fueling-botnets
[6] Google Threat Intelligence – Disrupting the Largest Residential Proxy Network (IPIDEA)
https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network
[7] FBI – Home Internet-Connected Devices Facilitate Criminal Activity (BADBOX 2.0 PSA)
https://www.fbi.gov/investigate/cyber/alerts/2025/home-internet-connected-devices-facilitate-criminal-activity
[8] HUMAN Security – Satori Threat Intelligence: Disruption of BADBOX 2.0
https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/
[9] Google – Taking Legal Action Against the BADBOX 2.0 Botnet
https://blog.google/innovation-and-ai/technology/safety-security/google-taking-legal-action-against-the-badbox-20-botnet/
[10] KrebsOnSecurity – Triada Malware (Tag Archive)
https://krebsonsecurity.com/tag/triada-malware/
[11] KrebsOnSecurity – Tracing the Supply Chain Attack on Android
https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/
[12] The Hacker News – Google Disrupts IPIDEA, One of the World’s Largest Residential Proxy Networks
https://thehackernews.com/2026/01/google-disrupts-ipidea-one-of-worlds.html
[13] U.S. Department of Justice – Oregon Man Charged for Administering RapperBot DDoS-for-Hire Botnet
https://www.justice.gov/usao-ak/pr/oregon-man-charged-administering-rapper-bot-ddos-hire-botnet
[14] Kaspersky – The Rise of the Triada Malware
https://www.kaspersky.com/blog/rise-of-the-triada/
[15] HUMAN Security / Partners – BADBOX 2.0 Industry Collaboration (includes Trend Micro participation)
https://www.humansecurity.com/learn/blog/satori-threat-intelligence-disruption-badbox-2-0/
[16] KrebsOnSecurity – Residential Proxies (Tag Archive; includes AstroLink, ByteConnect, PlainProxies research context)
https://krebsonsecurity.com/tag/residential-proxies/