A 22-year-old college senior at the Rochester Institute of Technology has been credited with helping dismantle what internet security experts describe as the most powerful cyberweapon ever assembled—a botnet capable of knocking states or small countries offline. Benjamin Brundage spent months investigating the network, later named Kimwolf, which had grown to encompass approximately two million hacked devices. Tens of thousands of new compromised gadgets were being added to the botnet daily, according to researchers who tracked its expansion. The investigation reads like a spy thriller. Brundage first connected with an anonymous insider on Discord who claimed to have knowledge of the network's operations. To maintain contact and build trust, Brundage sent periodic cat memes—including a six-second clip of a hand adjusting a necktie on a fluffy gray cat. The strategy worked. The anonymous source provided crucial technical details that helped Brundage and a team of industry researchers unravel the botnet's architecture. ## The Vulnerability at the Heart of the Network The investigation traced Kimwolf's origins to a flaw in the residential proxy services of Ipidea, a China-based company. Residential proxy networks route internet traffic through consumer devices—phones, computers, smart TVs, and other connected gadgets—allowing customers to appear as if they are browsing from a genuine home address. These networks have legitimate uses for privacy protection and web scraping. However, a bug in Ipidea's software allowed Kimwolf's operators to bypass existing safeguards and install their own proxy software directly on compromised devices. Once installed, the software could be used to launch distributed denial-of-service attacks while hiding behind the IP addresses of innocent device owners. According to Brundage's detailed breakdown of his findings, the operators were paying for access to Ipidea's residential proxy devices and installing their own residential proxy software on them, allowing DDoS attacks. They then sold access to paying customers, effectively offering cybercrime as a service. Brundage identified eleven residential proxy companies with similar vulnerabilities. On December 17, the day after completing his final exams, he sent emails to all of them explaining how to address the security flaw. Five days later, on December 22, he flew to Mexico for Christmas vacation. Ipidea responded on December 26, apologizing that Brundage's message had gone into their spam folder and stating they were working on a fix. ## The $30,000-a-Month Cyberweapon Kimwolf's operators were spending approximately $30,000 per month to maintain the botnet—a figure that underscored its massive scale. The network primarily targeted Android-based devices, including digital picture frames, video-streaming systems, smartphones, and cameras. Many infected devices showed no obvious signs of compromise, leaving their owners unaware that their gadgets had been weaponized. Researchers traced one attack to a digital picture frame from the brand Apofial, which had been sending hundreds of thousands of junk data packets before becoming part of the botnet. The incident illustrated how seemingly innocuous household devices could be turned into instruments of cyber warfare. The botnet's growth was staggering. By late 2025, Kimwolf had ensnared approximately two million devices worldwide. Industry experts at the North American Network Operators' Group conference in Denver had been tracking the threat with growing alarm. Nokia executive Craig Labovitz told attendees that the botnets were launching unprecedented DDoS attacks, including one assault on Cloudflare so massive it compared to the combined populations of the United Kingdom, Germany, and Spain all simultaneously typing a website address and hitting "enter" at the same second. ## Record-Breaking Attack In November 2025, Kimwolf and its sister botnet Aisuru launched what would become the largest distributed denial-of-service attack ever publicly disclosed. The assault peaked at 31.4 terabits per second (Tbps) and lasted just 35 seconds, according to Cloudflare's Q4 2025 DDoS Threat Report. The company automatically detected and neutralized the attack before any human alerts were triggered. The campaign, dubbed "The Night Before Christmas," targeted telecommunications providers, IT organizations, and Cloudflare's own dashboard infrastructure on December 19, 2025. It combined hyper-volumetric HTTP DDoS attacks exceeding 200 million requests per second with Layer 4 attacks peaking at the record-setting 31.4 Tbps. The same botnet infrastructure had previously launched a 29.7 Tbps attack—the previous record holder—and a 15.72 Tbps assault on Microsoft. In 2025, Cloudflare recorded a 121 percent increase in DDoS incidents compared to the previous year, totaling 47.1 million unique attacks. ## Takedown and Aftermath In January 2026, Google used a U.S. court order to seize 13 of Ipidea's business domains and shut down dozens of servers used to operate its residential proxy network. Then, on March 19, federal authorities from the United States, Germany, and Canada announced they had disrupted four of the world's largest DDoS botnets—Aisuru, Kimwolf, JackSkid, and Mossad—which together had infected more than three million devices globally. The operation targeted the command-and-control infrastructure used by these networks. Court documents revealed that Kimwolf had issued more than 25,000 DDoS attack commands, while Aisuru issued over 200,000, JackSkid launched more than 90,000, and Mossad more than 1,000. The botnets targeted devices traditionally "firewalled" from the rest of the internet, including digital video recorders, web cameras, and WiFi routers. The Department of Justice thanked Brundage's company, Synthient, among other contributors for its role in the investigation. U.S. Attorney Michael J. Heyman stated that "the United States is steadfast in our commitment to safeguarding critical internet infrastructure and fighting the cybercriminals who jeopardize its security, wherever they might live." All four dismantled botnets were variants of the infamous Mirai botnet, which first emerged in 2016 and famously took down major portions of the U.S. internet by attacking the domain-name provider Dyn. ## The Ongoing Threat Despite the takedown, cybersecurity researchers warn that the underlying vulnerabilities persist. Residential proxy networks continue to operate, and the techniques developed by Kimwolf's operators have likely been replicated or improved upon by other cybercriminal groups. Chad Seaman, a security researcher at Akamai, noted that botnet operators have become increasingly sophisticated, moving command-and-control servers to the Ethereum blockchain to prevent hijacking. "It's a cat-and-mouse game," he said. "Dismantling one botnet often leads to the rise of others." Kimwolf is now described as a shadow of its former self, with approximately 30,000 machines active at any given time—down from the two million at its peak. Yet the case has highlighted how consumer IoT devices can be weaponized at scale, often without their owners' knowledge, and how a single motivated researcher can make a difference in disrupting major cyber threats. Brundage, who began his journey during the pandemic by learning to build modifications for Minecraft and later found bugs in Dutch government websites through bug bounty programs, has since founded Synthient to help companies identify and defend against such threats. Industry watchers note that the young researcher may receive formal recognition from federal authorities for his contribution to one of the largest cybersecurity investigations in recent history.