Gen Z uses a meme to uncover the world's largest botnet, saving two million devices from hacking

Autumn 2025 marked a turning point in global cybersecurity as a botnet known as Kimwolf quietly expanded from data centers to everyday consumer devices. The period saw a wave of distributed denial-of-service (DDoS) attacks, culminating in a major assault on a cloud service provider at year’s end. Researchers said the traffic volume was roughly equivalent to the combined populations of the UK, Germany, and Spain hitting a single site.

Security researchers traced the operation to Kimwolf, which blended residential proxy networks with malicious software. The botnet enabled attackers to recruit millions of ordinary devices—including Android phones, smart cameras, and inexpensive digital photo frames—into a data-fluxing army that device owners did not realize they had been enrolled into.

Cause: supply-chain compromise and proxy backdoor

Investigators traced Kimwolf’s control to a backdoor in a proxy service provider referred to in documents as Company A. Brundage and Big Pipes mapped the threat and determined that Kimwolf rented access to compromised devices and injected a control layer that turned about two million devices into a malicious army. Each day, the botnet absorbed tens of thousands of new victims, ranging from smart TVs to low-cost digital frames.

The investigation also identified a supply-chain vulnerability. By factory, more than ten million Android devices were reported to have been pre-installed with malicious software.

Development: investigation and escalation

The “unsung hero” behind the takedown was Benjamin Brundage, a 22-year-old student at the Rochester Institute of Technology. Brundage built a data blacklist company called Synthient in August 2025 and began a Discord-based data-search tool. In September, an anonymous account messaged him with gaps in his IP list and provided a string of images as proof. Instead of arguing, Brundage responded with a six-second animated cat meme, which reportedly lowered the hacker’s guard and helped open access to clues about a major vulnerability.

In November, Brundage loaded Company A’s software onto an Android phone to test the theory and confirmed it was a highly sophisticated backdoor. The joint investigation concluded that the malware spread through the supply-chain issue, with more than ten million Android devices already pre-installed with malicious software. In December, Brundage alerted eleven involved parties and urged rapid patching.

Data and key milestones

• August 2025: Brundage founded Synthient.
• September 2025: An anonymous account provided proof and gaps in an IP list via a Discord interaction.
• November 2025: Testing confirmed Company A software contained a sophisticated backdoor.
• Supply-chain scale: More than 10 million Android devices reportedly came pre-installed with malicious software by factory.
• December 2025: Brundage alerted 11 involved parties and urged rapid patching.
• January 2026: Google obtained a federal court order to seize 13 commercial domains and dozens of Company A servers.
• March 19, 2026: Federal authorities announced dismantling of Kimwolf along with three other major botnets.
• Device count change (Netscout data): From nearly 2 million compromised devices globally to roughly 30,000 remaining across the internet.

Impact: reduced botnet reach and protection of infrastructure

The dismantling of Kimwolf and related operations was described as a decisive step in protecting critical internet infrastructure from crippling attacks. Netscout data indicated the botnet’s footprint shrank from nearly two million compromised devices globally to roughly thirty thousand devices still operating across the internet.

Analysis: how the takedown began

The account emphasized that the downfall of a cybercriminal operation can start with unexpected, low-friction signals—such as a simple image—combined with follow-through by investigators, rather than relying only on high-powered defenses or large-scale intelligence operations.