A botnet just fired 1.7 billion DDoS commands in 72 hours. Attack capacity: nearly 30 Terabits per second. 2 million Android TV boxes sitting in living rooms across 222 countries and regions. And now we know how the attackers built it so fast. ?

The attackers didn't send phishing emails. They didn't trick anyone into downloading malware. They just bought access to a proxy service and walked right into home networks.

A few weeks ago, I wrote about Kimwolf and how massive this botnet has become. But researchers just revealed something even more disturbing: how they did it.

Between November 19 and 22, the botnet went crazy. It fired 1.7 billion DDoS attack commands in just three days, spraying attacks across the entire internet. Its control server briefly became the most visited domain on earth, surpassing Google in Cloudflare's global rankings. Researchers estimate its attack capacity at nearly 30 Terabits per second, and believe Kimwolf was behind the record-breaking 29.7 Tbps DDoS attack earlier this year.

Researchers found that 96% of the botnet's commands are for proxy services. The operators route criminal traffic through infected living room devices, and with 2 million endpoints, they're estimated to earn around $88,000 per month just from selling bandwidth.
Here's how it works.

Millions of phones and tablets run proxy apps, free VPNs, and cheap apps that promise something for nothing. What they actually do is turn the device into a relay. Other people pay to route their traffic through it, and the home IP address goes up for rent.

Normally, proxy services block access to local network addresses like 192.168.1.1, the router, and other devices in the house.
But researchers found a hole. Attackers created domains that pointed to local addresses. The proxy service looked up the domain, got what looked like a normal IP, and forwarded the request straight into the home network.

Once inside, they scanned for targets. And they found plenty.
Android TV boxes ship with a feature called Android Debug Bridge enabled. ADB is meant for factory testing. It gives full control over the device: read memory, write files, install software. No password required.

These boxes are sold everywhere, on Amazon, Walmart, and AliExpress. They cost anywhere from $40 to $400. They promise free streaming. What they deliver is a wide open door into the home network.
The attackers used the proxy tunnel to reach these devices. One command gave them full access, the malware was installed, and the device joined the botnet.

Infected models include:
- SuperBOX
- X96Q
- MX10
- TV BOX
- SmartTV
- Various no-name Android boxes
- Digital photo frames with the Uhale app

The proxy service exploited was IPIDEA, based in China. They claim 100 million endpoints. Researchers found two-thirds of their Android devices had no authentication at all.

IPIDEA patched the hole after researchers reported it. But by then, 2 million devices were already compromised.

The botnet uses DNS-over-TLS to hide its communication from traditional security tools. It encrypts command server addresses with XOR obfuscation, so even intercepted traffic shows the wrong destination. When researchers took down its servers, the operators switched to blockchain. They now store their real server addresses on Ethereum Name Service domains that are far harder to seize or block.
After one takedown attempt, the Kimwolf operators responded: "we have 100s of servers keep trying LOL!"

They weren't bluffing. They rebuilt from almost nothing to 2 million bots in days, just by exploiting the proxy vulnerability.

Think about this scenario. A friend visits, connects to the WiFi, and their phone has some free VPN installed. That phone is now a proxy node. The home IP address appears on a proxy marketplace, attackers tunnel through, find the Android TV box, and infect it. The friend leaves, but the infection stays.

Proxy apps punch holes, cheap devices have no security, and the combination is a disaster.

Signs a device might be infected:
- High network traffic for no reason
- Device running hot when idle
- Slower internet than usual
- Strange outbound connections

Synthient built a page to check if an IP address was seen in Kimwolf traffic: https://synthient.com/check

If a TV box matches one of these infected models, disconnect it. Not worth the risk.

This attack shows exactly why understanding home network security matters. I cover network fundamentals, how attackers find and exploit devices, and how traffic flows through systems in my ethical hacking course: https://www.udemy.com/course/ethical-hacking-complete-course-zero-to-expert/