DataDome

Inside Kimwolf Traffic: How Residential Proxies Fuel Credential Stuffing, Web Scraping, & Fraud

Table of contents
Last update: 10 Mar, 2026
|
min

In late 2025, a massive botnet called Aisuru began making headlines after launching some of the largest DDoS attacks ever recorded, peaking at 31.4 terabits per second. 

Within months, a specialized Android variant emerged: Kimwolf. This strain targets poorly secured IoT devices, including off-brand Android TV boxes, digital picture frames, and routers—turning them into nodes in a sprawling network of over 2 million compromised devices across 222 countries.

What makes Kimwolf particularly concerning is its dual-purpose design. Beyond raw DDoS firepower, the botnet monetizes infected devices as residential proxies, routing malicious traffic through legitimate-looking residential IP addresses. This proxy infrastructure fuels web scraping operations, credential stuffing campaigns, and other automated attacks at scale. Security researchers have linked this proxy network to data harvesting efforts tied to AI training projects, content scrapers, and fraud operations.

The botnet’s operators, who go by the handle “Dort,” have shown a willingness to push boundaries. In February 2026, they attempted to join 700,000 infected bots as nodes on the I2P anonymity network, accidentally crippling it, as I2P normally operates with just 15,000 to 20,000 active devices. This move was part of a broader effort to build a resilient command-and-control infrastructure that can survive takedown attempts.

Despite coordinated disruption efforts by Google, Cloudflare, and Lumen Technologies (which null-routed over 550 C2 addresses), the botnet continues to evolve, rapidly shifting its infrastructure and adapting its techniques.

DataDome’s Galileo threat research team investigated. Here’s what we found.

Detection & insights

Using internet scanning platforms, we identified devices exhibiting characteristics consistent with Kimwolf infection vectors. We then cross-referenced this list against traffic observed across the DataDome customer base.

Global distribution

The traffic originating from Kimwolf-linked IPs spans the globe, but with a clear concentration in Europe, particularly in France, Germany, and surrounding countries, where we observe the highest fingerprint counts by far. Smaller but notable clusters appear in the United States, South America (Brazil, Argentina, Colombia), the Middle East (Turkey, Iran, Saudi Arabia), and South/Southeast Asia (India, Thailand, Indonesia, the Philippines). Pockets of activity also reach Australia, South Africa, and East Asia.

This distribution differs somewhat from the botnet’s global infection footprint, which is heaviest in Brazil, India, and the US. The European concentration in our data reflects the geographic mix of DataDome’s customer base. This is where botnet traffic is actively hitting websites protected by DataDome. 

 

Distribution of Kimwolf-linked traffic across websites protected by DataDome

Infrastructure

The infrastructure behind this traffic reveals a telling pattern. The top two autonomous systems by volume are Serverius Holdings (a Dutch hosting provider) and Amazon (AWS)—both cloud/hosting environments commonly abused by botnets. Hetzner Online, another popular hosting provider, also features prominently.

But the data also shows significant traffic from residential ISPs, like Bouygues Telecom, Deutsche Telekom, Free SAS, SEWAN SAS, and others. This dual hosting-plus-residential pattern is a signature of Kimwolf’s operating model. The botnet simultaneously uses cloud infrastructure for high-volume operations while routing traffic through compromised residential devices to appear legitimate—exactly the proxy-based monetization strategy researchers have documented.

Adversary intent

Kimwolf-linked traffic hits a broad range of DataDome-protected customers. The targeted segments reveal a multi-layered attack strategy:

  • Web pages account for the overwhelming majority of requests, pointing to the dominant activity: large-scale scraping of product data, pricing information, or content
  • Login endpoints see significant activity, consistent with credential stuffing campaigns likely fueled by leaked credential databases
  • Forms and account creation pages are also targeted, suggesting automated registration and account fraud
  • Cart and payment endpoints see lower but meaningful volumes, indicating some operators are using the botnet infrastructure for payment fraud
  • Mobile APIs also receive traffic, showing the attackers aren’t limited to desktop web vectors

This diversity of targets aligns with what researchers have observed globally: Kimwolf’s proxy network is being rented out to multiple threat actors, each with their own goals, from data harvesters to fraudsters.

Adversary profile

The threat markers triggered by Kimwolf-linked traffic are highly revealing. The most frequently flagged signals are:

  • Network: The IPs are from known anonymization infrastructure and carry negative reputation scores from prior malicious activity. The traffic is routed through residential proxies with inconsistent geolocation relative to other signals.
  • Server-side: The bots claim to be standard browsers, but their actual fingerprints don’t match—a hallmark of spoofed identities. The TLS and headers signatures are anomalous, betraying the underlying automation infrastructure.
  • Client-side: A significant portion of the traffic shows markers of headless browsers or automated tools.
  • Behavioral: The traffic exhibits abnormal session patterns, including irregular navigation sequences, extreme request rates, and mid-session geolocation shifts consistent with proxy rotation.

This profile is remarkably consistent across virtually all Kimwolf-linked traffic, suggesting a uniform tooling stack, even if the end goals differ. The bots are sophisticated enough to attempt browser impersonation but not sophisticated enough to evade multi-layered fingerprinting.

Detection of Kimwolf/Aisuri

DataDome detects and blocks Kimwolf/Aisuru botnet traffic. Our multi-layered detection engine, combining behavioral analysis, device fingerprinting, and IP reputation, identifies these requests regardless of whether the underlying infrastructure rotates, which is common with botnets that leverage both cloud hosting and residential proxy networks.

Protect your business from sophisticated botnets

The Kimwolf/Aisuru botnet represents one of the most significant bot threats to emerge in recent years. Its unprecedented DDoS capabilities made headlines, but the quieter threat—its residential proxy infrastructure fueling scraping, credential stuffing, and fraud—is what directly impacts online businesses.

Our investigation confirms that Kimwolf-linked traffic is actively targeting a wide range of industries, with web scraping and credential stuffing as the primary attack vectors. The botnet’s dual infrastructure model, combining cloud hosting with compromised residential devices, makes it particularly challenging for simple IP-based defenses.

DataDome’s multi-layered approach—analyzing browser consistency, device fingerprints, behavioral patterns, and IP reputation together—provides robust detection against this type of distributed, proxy-routed botnet traffic. 

As Kimwolf continues to evolve and adapt to takedown efforts, our detection engine continues to identify and block its traffic across our customer base. Run DataDome’s free Vulnerability Scan to ensure your site is properly protected against malicious AI agents and bad bots today.

 

Contributors: Sarah Belghiti, Kevin Mignot, Guenaelle De Julis

Sources

DataDome
dd product home overview

Still exploring?

Start with an on-demand demo.