The College Student Who Helped Take Down a Two-Million-Device Botnet
Written by the Rafter Team
In March 2026, the US Department of Justice announced the disruption of Kimwolf — a botnet responsible for infecting over two million devices and issuing more than 25,000 attack commands. The announcement listed Synthient alongside 19 other private-sector firms credited for their assistance — including Akamai, AWS, Cloudflare, and Google.
Synthient was founded and run by Benjamin Brundage, a 22-year-old senior at Rochester Institute of Technology.
This is the story of how that happened — and what the botnet's hiding place tells us about the security of the devices in most people's homes.
What Kimwolf Was
A botnet is a network of devices under the control of an attacker. Most people picture servers or computers, but Kimwolf was built from something more mundane: cheap Android TV boxes, digital photo frames, and streaming sticks. The kind of hardware you can buy on Amazon for $40, plug in behind your television, and forget about.
At its peak, Kimwolf had enrolled more than two million of these devices in its network. They could be directed to flood websites and services with traffic — a distributed denial-of-service attack, or DDoS — or used to route malicious traffic through what looked like ordinary home internet connections.
That last part was the clever piece. By routing commands through residential proxy networks, Kimwolf's attacks appeared to come from household IP addresses rather than suspicious servers. This made them significantly harder to block and attribute.
The Open Door
The reason so many cheap Android devices were vulnerable comes down to a developer tool called ADB — Android Debug Bridge. ADB lets developers send commands directly to an Android device: install apps, read logs, access the filesystem. It's useful during development and testing.
The problem is that many cheap Android devices ship with ADB exposed on port 5555, accessible over the network. Connecting is a single command:
adb connect [device IP]:5555
No password. No authentication prompt. Once connected, you have full administrative access to the device.
Kimwolf's operators automated scanning for these open ports. When they found one, they connected and enrolled the device. The owner never knew. The device kept working — streaming video, displaying photos — while quietly participating in attacks.
The Residential Proxy Problem
Beyond the open ADB ports, Kimwolf exploited something less obvious: residential proxy services.
Residential proxies are legitimate services that route internet traffic through real home connections. They're used by businesses for market research, price monitoring, and testing region-specific content. But they require software to be installed on the devices providing the connections — and that software can be bundled into apps without users understanding what they've agreed to.
Brundage's company, Synthient, specialized in tracking exactly this kind of abuse. His investigation found that Kimwolf was using a service called IPIDEA as part of its infrastructure — a proxy network that security researchers suspect is a successor to 911 S5, a major residential proxy service the FBI had previously shut down for facilitating fraud.
The technique Kimwolf operators had developed was particularly unsettling: by manipulating DNS settings to point to private IP address ranges (the 192.168.x.x addresses on your home network), they could tunnel from a compromised device through a proxy network directly into the local networks those devices were connected to. Your streaming stick, enrolled in the botnet, became a gateway into your home network.
The Investigation
Brundage started tracking Kimwolf in October 2025, initially noticing infrastructure overlaps with a related botnet called Aisuru. He was a college student with a startup, working irregular hours, often waking at 4am to review data.
His research traced command infrastructure to a Utah-based company called Resi Rack and a German company called 3XK Tech GmbH — the latter previously identified by Cloudflare as the largest single source of application-layer DDoS traffic on the internet.
But technical analysis alone had limits. To understand how the network actually operated, Brundage did something that doesn't appear in most threat intelligence reports: he struck up conversations with people who had knowledge of the operation, through Discord.
The key to keeping those conversations going, he found, was keeping them casual. He asked technical questions, but he also sent memes. One in particular — a six-second GIF of a cat in a necktie — helped land a critical piece of information when a source was deciding whether to keep talking.
"It took me by surprise," he said.
When Synthient published its findings, the botnet operators responded by attacking Synthient's website and posting Brundage's personal information through Ethereum Name Service records — a tactic designed to intimidate. He kept publishing.
The Takedown
On March 19, 2026, the Justice Department announced a coordinated international disruption of four botnets: Aisuru, Kimwolf, JackSkid, and Mossad. Together, they had compromised over three million devices. Law enforcement actions in Canada and Germany were part of the operation.
Brundage's work — conducted from a college dorm room, without the resources of a major security firm — contributed to an operation that disrupted infrastructure behind record-breaking attacks.
What This Means for Your Devices
The Kimwolf story is often framed around Brundage, and his investigation is genuinely worth attention. But the more broadly relevant part is what the botnet was built from.
Two million devices. Mostly Android boxes and streaming sticks, sold through major retail channels, sitting on home and business networks. The vulnerability was not sophisticated: an open debug port, left on by default, that accepts connections without authentication.
These devices are still out there. The Kimwolf operators have been disrupted, but the hardware hasn't changed. Open ADB ports on cheap Android devices remain a real exposure — not just for botnet enrollment, but as a potential entry point into any network the device is connected to.
For individuals:
Check whether ADB is enabled on any Android streaming devices you own. On most devices, this is under Settings > Developer Options > USB Debugging. If you don't recognize why it would be enabled, it probably shouldn't be.
Consider network segmentation: a cheap streaming device doesn't need to be on the same network as your computers and phones. A guest network or separate VLAN limits the damage if a device is compromised.
For organizations:
Cheap Android devices on office or guest networks are a more significant risk than they might appear. They often sit on networks indefinitely without being included in asset inventories or security monitoring. A quick scan for open ADB ports (TCP 5555) can tell you how many of these are present.
A quick scan for open ADB ports (TCP 5555) across your network segments can tell you whether these devices are sitting somewhere they shouldn't be.
A Note on the Research
The Kimwolf investigation is a useful example of how effective threat intelligence often combines technical analysis with something more human: patient relationship-building, casual conversation, and the willingness to keep going when the subject of your research starts attacking you.
Brundage had no institutional backing. He had data, a startup, a Discord account, and good instincts about when to send a cat meme. That combination, alongside months of methodical work, contributed to one of the larger botnet takedowns in recent memory.