On February 3, 2026, the I2P anonymity network was flooded with 700,000 hostile nodes, becoming one of the most devastating Sybil attacks ever experienced by an anonymity network. The network typically operates with 15,000 to 20,000 active devices. The attackers crushed it by a factor of 39 versus 1.
For three consecutive years, I2P has been hit by Sybil attacks every February. The 2023 and 2024 attacks used malicious floodfill routers and were not responsible. When the 2026 attack began, most assumed that it was the same state-sponsored operation continuing its annual disinformation campaign. The assumption was wrong.
The attacker was identified as the Kimwolf botnet, an IoT botnet that infected millions of devices, including streaming boxes and consumer routers, in late 2025. Kimwolf is the same operation behind the record-setting 31.4 terabit per second DDoS attack in December 2025. The operators admitted on Discord that they had accidentally disrupted I2P while attempting to use the network as a backup command-and-control infrastructure after more than 550 of their primary servers were destroyed by security researchers. C2 Server.
The I2P development team responded by shipping version 2.11.0 just six days after the attack began. The release includes hybrid ML-KEM plus X25519 post-quantum encryption enabled by default, making I2P one of the first production anonymity networks to ship post-quantum cryptography to all users. Additional Sybil mitigations, SAMv3 API upgrades, and infrastructure improvements were included.
<a href