alt.hn

2/22/2026 at 1:08:17 AM

A Botnet Accidentally Destroyed I2P

 https://www.sambent.com/a-botnet-accidentally-destroyed-i2p-the-full-story/

by Cider9986

2/22/2026 at 2:14:47 AM

This seems to lack the full story, despite the headline.. Krebs' coverage is more in-depth (39 points) https://news.ycombinator.com/item?id=46976825

by gnabgib

2/22/2026 at 7:40:04 AM

[dead]

by darig

2/22/2026 at 7:57:09 AM

[flagged]

by walletdrainer

2/22/2026 at 8:25:07 AM

Could you elaborate a bit? It’s hard to take such a claim seriously without any evidence presented.

by notpushkin

2/22/2026 at 8:40:58 AM

Every single person who has bought the phishing kit claims the seller is a scammer. Krebs’s article is based entirely on the sellers description of the (imaginary) product, rather than actual observation of the phishing kit in the wild.

See the exploit.in thread for example https://temp.sh/XOWUP/STARKILLER_V6.0.1___ULTIMATE_WEAPON__B...

Krebs has access to these forums, he could’ve checked this story out in less than 3 minutes but did not.

Even if Krebs wasn’t a subject matter expert, it’s still inexcusable that he didn’t do the most basic work here. You don’t need to frequent underground runet forums to know that a journalist should be able to verify the stories he puts out.

I think it’s also particularly telling that he didn’t bother to source reasonable quality screenshots for the story, which he would have been able to do had he ever witnessed this phishing kit working.

by walletdrainer

2/22/2026 at 9:36:01 AM

> Krebs’s article is based entirely on the sellers description of the (imaginary) product, rather than actual observation

I noticed. While researching I had a feeling of "is this just makeup on a pig?". Anyone can make pretty graphics or make claims. I tried reading a few selling points and I was weary.

One claimed to handle a MFA token handover and then somehow got access to the token and they could proxy it for you? The user types in the MFA token, they get the token. I cant figure out how they would bypass all browser protections to pass on the highly-secured token via a proxy. I've been online for 25 years, I understand on a deep level on the internet works and the web and what is happening in this situation, as I'm sure most here are.

Without a 0day, this just doesn't make sense. But this is pretty technical, and unless you hang out here then the above sounds perfectly reasonable but to us sounds like bullshit.

> he didn’t bother to source reasonable quality screenshots for the story

Also noted. Quickly found better quality versions myself with a quick search.

by pests

2/22/2026 at 8:10:40 AM

This is so odd. I tried to verify your claim and I give up. It might be but I really hate how information is becoming like this. There is other reporting out there on "Starkiller" (the phishing kit in kerbs most recent post) and I can find other articles on it, but sources seem to be circular. The source mentions Jinkusu forums, which do seem to be real, but any links I find aren't loading for me and still no conclusive findings of Starkiller.

by pests

2/22/2026 at 8:43:08 AM

https://temp.sh/XOWUP/STARKILLER_V6.0.1___ULTIMATE_WEAPON__B...

These forums are mostly private, but Krebs certainly has access to them. There can really be no excuse for how he handled this.

There are multiple posts by people in different places claiming to have bought this phishing kit, and then being delivered totally non-functional vibecoded garbage. The vibecoded garbage is not the advertised product though, as the author never managed to get the AI to finish his project.

by walletdrainer

2/22/2026 at 9:39:44 AM

I figured the forums were real, just was blocked for some reason so thanks.

I do not doubt this story for a second. Its crazy Kerb's is basically freely advertising this blackhat slop.

by pests

2/22/2026 at 9:44:18 AM

Krebs lack any sort of real credibility. He's pushing out slop with a govern-mentalist propaganda. Tech journalists are the worst form to gather any actual information.

by flipped

2/22/2026 at 11:13:07 AM

Krebs has some credibility in this space because he used to post well-informed takes on these topics, not stuff like this.

His record has never been flawless, but the guy actually put in the work to learn Russian to be able to read these forums. He just doesn’t anymore.

by walletdrainer

2/22/2026 at 12:54:34 PM

All of his dox articles are based on sloppy practices from threat actors.

by flipped

2/22/2026 at 12:59:27 PM

So? At least the reporting used to be mostly accurate and trustworthy.

Here we can see that Krebs is now willing to publish stories he hasn’t even attempted to verify

by walletdrainer

2/22/2026 at 1:21:33 PM

[flagged]

by flipped

2/23/2026 at 7:02:44 PM

The NSA has an interest in half-heartedly defending Krebs’s past record, while trashing his current work? Weird.

by walletdrainer

2/23/2026 at 10:11:30 AM

Please don't post insinuations about astroturfing, shilling, brigading, foreign agents, and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data.

https://news.ycombinator.com/newsguidelines.html

by tomhow

2/22/2026 at 2:43:29 AM

From the main article, I2P has 55,000 computers, the botnet tried to add 700,000 infected routers to I2P to use it as a backup command-and-control system.

https://news.ycombinator.com/item?id=46976825

This, predictably, broke I2P.

by jjmarr

2/22/2026 at 3:34:16 AM

That's an interesting stress test for I2P. They should try to fix that, the protocol should be resilient to such an event. Even if there are 10x more bad nodes than good nodes (assuming they were noncompliant I2P actors based on that thread) the good nodes should still be able to find each other and continue working. To be fair spam will always be a thorny problem in completely decentralized protocols.

by infogulch

2/22/2026 at 10:29:49 AM

> Even if there are 10x more bad nodes than good nodes [...] the good nodes should still be able to find each other

What network, distributed or decentralized, can survive such an event? Most of the protocols break down once you hit some N% threshold of the network being bad nodes, asking it to survive 1000%+ bad nodes when others usually is something like "When at least half the nodes are good". Are there existing decentralized/distributed protocols that would survive a 1000% attack of bad nodes?

by embedding-shape

2/22/2026 at 4:03:22 AM

No. They should not try to survive such attacks. The best defense to a temporary attack is often to pull the plug. Better than than potentially expose users. When there are 10x as many bad nodes as good, the base protection of any anonymity network is likely compromised. Shut down, survive, and return once the attacker has moved on.

by sandworm101

2/22/2026 at 6:43:46 AM

This is why Tor is centralized, so that they can take action like cutting out malicious nodes if needed. It’s decentralized in the sense that anyone can participate by default.

by conradev

2/22/2026 at 8:26:56 AM

> so that they can take action like cutting out malicious nodes if needed

How does that work?

by notpushkin

2/22/2026 at 9:01:13 AM

While anyone can run a Tor node and register it as available, the tags that Tor relays get assigned and the list of relays is controlled by 9 consensus servers[1] that are run by different members the Tor project (in different countries). They can thus easily block nodes.

[1]: https://consensus-health.torproject.org/

by cyphar

2/23/2026 at 3:57:34 AM

Interesting, thank you so much! Yeah, if those 9 really are independent entities, I’d say I don’t see many issues here.

by notpushkin

2/22/2026 at 9:35:39 AM

It's 10, not 9. And there are severe problems with having a total of 10 DA be the essential source of truth for whole network. It would be trivial to DDoS the DAs and bring down the Tor network or at the very least, disrupt it: https://arxiv.org/abs/2509.10755.

It's the only complaint I have of the current state of Tor. Anyone should be able to run directory authority, regardless if you trust the operator or not (same as normal relays).

by flipped

2/22/2026 at 4:05:36 PM

Couldn't you

A: Run your own network that trusts the existing plus whatever nodes you think ought to be and convince everyone that this is better if it is

B: Run a node and convince others to trust yours so that eventually there is 11 then 12 and so forth?

by michaelmrose

2/22/2026 at 11:03:09 AM

Anyone can. The DA code is open source and is used whenever you run a testnet. You can also run a DA on the mainnet - how do you think the 10 primary DAs exist? They're not 10 computers owned by a single organization - they're 10 mutually trusting individuals. However, most of the network won't trust you.

by _yclj

2/22/2026 at 12:07:08 PM

[flagged]

by flipped

2/22/2026 at 4:33:30 AM

Why would an attacker move on if it can maintain a successful DoS attack forever?

by martin-t

2/22/2026 at 4:42:50 AM

Because botnets are mostly there to make money nowadays. Or owned by state actors.

Either way, it’s opportunity cost.

by xmcp123

2/22/2026 at 9:39:59 AM

The mentioned botnet didn't intentionally take down I2P. It's run by bunch of kids who don't know what they're doing.

by flipped

2/22/2026 at 5:38:27 AM

Finding good nodes is a thorny problem for human friendship, too!

by 01HNNWZ0MV43FF

2/22/2026 at 8:31:12 AM

That's why the Web of Trust, or classic GNUPG key signing parties are a forgotten/ignored must have. Anyone can change and go rouge of course, but it's statistically less likely.

by kkfx

2/22/2026 at 10:25:32 AM

If I understand gp correctly, the web of trust comes after finding these human nodes, and will not help you in the process.

by kbrkbr

2/22/2026 at 10:53:29 AM

It doesn't work for I2P due to its design, but for things like Nostr, it works well. Essentially, the goal is to build up a list of "known" reliable relays over time, while simultaneously blacklisting anyone who joins and proves to be unreliable relying on the statistic that collaborative individuals outnumber hostile ones in any sufficiently large cohort.

Of course, it's far from being 100% effective, but it mitigates the issue significantly.

by kkfx

2/22/2026 at 11:02:21 AM

Hostile entities generally have a lot of money they can use to perform a Sybil attack.

by _yclj

2/22/2026 at 11:55:02 AM

Sure, but can't break the trusted part of the network who can remain operational in that case, even if not really anonymous anymore.

by kkfx

2/22/2026 at 10:33:00 AM

Funny and excellent comment!

by seertaak

2/22/2026 at 7:51:36 AM

I guess "predictably" is valid but what actually went wrong? After going through multiple sources I can't tell if the botnet nodes were breaking the protocol on purpose, breaking the protocol on accident, or correct implementations that nevertheless overwhelmed something.

by Dylan16807

2/22/2026 at 9:23:27 PM

As I understand they weren't building tunnels, so every time a legit client wanted to it has to wade through all the bad nodes to find a good one, so everything slowed right down. I was building at about 3% success rate during the issue which enables general eepsite browsing but torrenting was essentially dead

by c45y

2/22/2026 at 2:40:12 AM

Man, I feel so out of depth with cybersecurity news.

Why does i2p (per the article) expect state sponsored attacks every February? Where are those forming from, what does the regularity achieve?

How come the operators of giant (I’m assuming illegal) botnets are available to voice their train of thought in discord?

by kace91

2/22/2026 at 4:22:23 AM

> Why does i2p (per the article) expect state sponsored attacks every February?

Because The Invisible Internet Project (I2P) allows government dissidents to communicate without the government oversight. Censorship-resistant, peer-to-peer communication

> Where are those forming from, what does the regularity achieve?

At least PR China, Iran, Oman, Qatar, and Kuwait. censor communication between dissidents.

> How come the operators of giant (I’m assuming illegal) botnets are available to voice their train of thought in discord?

How would you identify someone as 'operators of giant botnets' before they identified themselves as 'operators of giant botnets'?

please read https://en.wikipedia.org/wiki/I2P

by WaitWaitWha

2/22/2026 at 5:47:56 AM

Sure, but why February and not the other 11 months?

by margalabargala

2/22/2026 at 7:36:56 AM

Likely it's just a coincidence — there were other Sybil attacks that are not in February too, so the chance that you'd get 3 in Feb isn't all that low.

by n2d4

2/22/2026 at 4:45:54 AM

This answer is missing the key "regularity" part of their questions, which I would love to know more about.

by Zambyte

2/22/2026 at 5:33:16 AM

That’s a great question… Currently we’re in the main Chinese holiday period with the Lunar New Year/Spring Festival/Chinese New Year, so perhaps people traveling back home from foreign lands might use the service more during this time?

by braingravy

2/22/2026 at 6:53:36 PM

I know no one using this in China. And people who can afford to travel (and have visa and passport) will have foreign sim/phone. The timing is just a coincidence

by thenthenthen

2/22/2026 at 2:56:18 AM

Many state bodies involved in adversarial action have dedicated budgets for offensive cyber-warfare, credential thefts, supply chain compromises and disinformation. If they haven't used all of their budget by the end of the budget period, they'll be allocated a smaller budget for the next budget period.

by OgsyedIE

2/22/2026 at 7:43:33 AM

Cool theory but that should result in other attacks that peak in February too, can you give examples?

by rollulus

2/22/2026 at 3:13:34 AM

Oh ffs. Whenever I think my opinion on the state of the world can’t get any lower, things somehow manage to get dumber.

by kace91

2/22/2026 at 3:34:28 AM

I mean this is a common pattern in many large organizations, governmental and non, if you didn't use your budget it means we can save money, yayyyy! I hadn't really considered it would apply to state-backed hacking but makes sense.

by bryanrasmussen

2/22/2026 at 5:47:40 AM

[dead]

by tosapple

2/22/2026 at 9:41:17 AM

State sponsored cyber attacks are news to you? It's been a thing since more than 2 decades now.

by flipped

2/22/2026 at 12:18:00 PM

Not the attacks themselves, I would expect that kind or sabotage that actively provokes negative outcomes in people’s lives to have a more respectful/competent reasoning behind than “meh there’s a few leftovers and we had to do something”

by kace91

2/22/2026 at 11:05:05 AM

[flagged]

by _yclj

2/22/2026 at 5:35:06 AM

[dead]

by busko

2/22/2026 at 7:44:43 AM

> The I2P development team responded by shipping version 2.11.0 just six days after the attack began.

Not wanting to be overly critical, but any net-infrastructure project kind of has to keep bot-attacks in mind and other attack vectors, in the initial design stage already. Any state-actor (and other actors, though I would assume it is often a state financing the bot network behind-the-scene) can become potentially hostile.

by shevy-java

2/22/2026 at 6:25:20 AM

>hostile nodes

>they accidentally disrupted I2P while attempting to use the network as backup command-and-control infrastructure

So were they hostile or were they using it normally?

by charcircuit

2/22/2026 at 6:20:33 AM

This seems to be a better post about what happened, from the same site https://www.sambent.com/i2p-2-11-0-ships-post-quantum-crypto...

by pmontra

2/22/2026 at 6:42:00 AM

Those are some weird-ass visualizations. I can only assume they were AI-generated.

by nneonneo

2/22/2026 at 6:49:29 AM

I'll save everyone else a click: AI slop text coupled with the strangest, most pointless visualizations I've ever seen.

by KennyBlanken

2/22/2026 at 8:36:33 AM

Speak for yourself!

I didn’t really understand the link between Alice and Bob until I saw a green floaty dot go through a pile of spaghetti with the word compromise beneath it.

by SV_BubbleTime

2/22/2026 at 7:52:37 AM

This article (with high slop vibes) and another article on their site (linked in the comments) seem to suggest that post quantum encryption mitigated the Sybil attack, without explanation. I fail to understand how the two are even related.

by rollulus

2/23/2026 at 8:37:49 AM

Definitely generated, testing a ML model I'm training. it flags as claude mostly.

by swordsith

2/22/2026 at 3:27:18 PM

Came here to say this. Seems like the attack was an accident and it ended. Nothing was mitigated

by singpolyma3

2/22/2026 at 5:46:13 AM

This was one of the worst writeups I ever read. Even a LinkedIn Premium post would have had more technical details, lol

by cookiengineer

2/22/2026 at 3:09:51 AM

Why does Discord allow a server for a botnet owner?

by illusive4080

2/22/2026 at 3:53:48 AM

There's servers where they just hang out, but which themselves are legitimate. Cybersecurity related ones etc. You can ban them and they'll just switch to another account within a minute. Occasionally discord or a server owner does, but everyone knows its pointless. There's probably other servers that are mostly used by cybercriminals, maybe command-and-control backups, and security researchers may stumble upon these when taking some malware apart, join them, and end up getting in contact with the owner.

In general I don't think law enforcement wants discord to take these down or ban them. These guys would have no problem to just make some IRC servers or whatever to hang out on instead, which would be much harder to surveil for law enforcement - compared to discord just forwarding them everything said by those accounts and on those servers.

by chmod775

2/22/2026 at 3:29:51 AM

Discord has a lot of terrible servers. This is one of the reasons they were not trusted when they came out and wanted to do identity verification. They already have a lot of information yet fail to do meaningful enforcement at scale.

by ddtaylor

2/22/2026 at 7:11:08 AM

Only a couple years ago the outrage was that Discord was too eagerly banning servers and users.

I know several people whose Discord accounts were banned because they participated in a server that later had some talk of illegal activities in one of the channels. There are similar stories all over Reddit.

by Aurornis

2/22/2026 at 10:35:34 AM

If a Walmart has ~100 people in it and wants to get rid of 4 shoplifters but really sucks at selecting them well then the likely result is 4 normal people are very upset while all of the shoplifters are still there.

In the same scenario, even if Walmart is right about who they ejected 75% of the time then they still have ~1 shoplifter remaining and ~1 very upset person.

Even in an ideal world where Walmart is right about ejection 100% of the time it doesn't mean they start receiving 0 new shoplifters either, it just means the number of people wrongly made upset is 0.

Discord's problem (on both ends) lies in lack of depth in investigating bans. It takes resources to review when someone shouldn't be banned and it takes resources to make sure you ban everybody. Putting too low of resources into banning just means that both sides of the scale manage to get tipped in the wring direction at the same time.

by zamadatix

2/22/2026 at 11:06:59 AM

Two things can be true at once. They can ban normal things too much and ban bad things too little.

by _yclj

2/22/2026 at 4:45:57 AM

Ever tried to ban a botnet owner from a service they want to use?

It’s basically impossible. They have money, IPs, identities, anything you could possibly want to evade.

by xmcp123

2/22/2026 at 6:24:21 AM

It would be pretty funny if the age verification stuff blocked some of these folks.

by bee_rider

2/22/2026 at 7:08:41 AM

Discord age verification is only for content filters, adult-themed servers, and a few other features.

They aren’t requiring age verification for everyone to join servers and chat. The headlines and panic really got away from the actual story.

by Aurornis

2/22/2026 at 5:24:20 AM

They are rich in regard to the tools needed to abuse services haha.

by Cider9986

2/22/2026 at 6:23:23 AM

If you just look at the messages in those kinds of discords. It's blatant. They aren't even trying to hide it.

by charcircuit

2/22/2026 at 6:58:40 AM

Why wouldn't they? There are Discord servers about anything you can imagine and also what you can't or don't want to image. As long as they don't start disrupting their infra Discord couldn't care less.

Also, how would you even go about classifying them as botnet operators?

by samus

2/22/2026 at 4:55:13 AM

I imagine because banning these things is both whack-a-mole and like finding a needle in a hay stack.

by bawolff

2/22/2026 at 10:36:09 AM

A MAU is a MAU... They likely use relatively little computing capability while making numbers look really good...

by Ekaros

2/22/2026 at 3:20:47 AM

botnet owners don't typically come forwards and say they are trying to run a botnet, so there may be some difficulty in detecting them there.

by fragmede

2/22/2026 at 3:19:58 AM

botnet owners dying typically come forwards and say they are trying to run a botnet, so there may be some difficulty there.

by fragmede

2/22/2026 at 4:48:48 AM

Isn't I2P java? The botnet uses java? I thought python or C is preferred for that kinda stuff

by hoppp

2/22/2026 at 5:13:44 AM

The official router implementation is Java. i2pd is an alternative written in C++.

Once established communication can transparently be processed through a socks proxy, or integration with SAM or similar https://i2p.net/en/docs/api/samv3/

by mhitza

2/22/2026 at 6:57:49 AM

Communication between bots use network protocols, it doesn't matter in which language those protocols are implemented.

by rippeltippel

2/22/2026 at 5:30:10 AM

Computers are so fast it doesn’t matter

by monero-xmr

2/22/2026 at 9:46:29 AM

"Since the abstraction layers have quadrupled, let's not just care about the actual performance anymore!"

by flipped

2/22/2026 at 2:04:34 PM

Not my downvote, but which computers would that be?

More people than just myself might want one.

by fuzzfactor

2/22/2026 at 9:24:55 AM

Is there a shittier summary anywhere, please? Or did the author reached the peak of enshittification?

Honestly, did the bot implementation have bugs or was it a proper implementation that crashed the network due to sheer numbers?

Also, how does changing the encryption standard affect anything if the bots tried to integrate correctly with the network?

Is the problem "fixed" or is it not? Elsewhere I found large number if botnet devs got pissed off with this botnet operator and 600k nodes went offline. Might this have much more to do with the situation getting better than simply changing encryption?

Also, was there any suggestion a quantum breaking attack was attempted? No. So why put the emphasis on "post quantum" in this article?

Bad. Very bad.

by Roark66

2/22/2026 at 11:08:15 AM

[dead]

by _yclj

2/22/2026 at 5:25:09 AM

The video seems to be a bit more in-depth.

by Cider9986

2/22/2026 at 2:07:05 PM

A bit of a tangent, but if I had a beard like that I would be making a lot more videos :)

by fuzzfactor

2/22/2026 at 4:29:10 AM

I wonder how cjdns would have handled this

by richardfey

2/22/2026 at 5:48:50 PM

Also rewriting i2pd in Go would be the sanest step. From Java to Go is not a big challenge and you gain even more portability. Just look at Yggdrasil on how these people created meshnets running even under Android and cheap i386 netbooks.

Thus, something like this in Go should be the norm. The GC it's ideal for this, it comes with batteries charged for networking and it can be for sure be made compatible with stuff like NNCP like nothing.

It wouldn't run many times slower than i2pd in C++, it should be perfectly bearable.

by anthk

2/22/2026 at 5:43:56 PM

I upgraded my OBSD just fine over I2P. I don't use the Java client/server, that might the reason.

by anthk

2/22/2026 at 3:26:55 PM

> The operators admitted on Discord they accidentally disrupted I2P while attempting to use the network as backup command-and-control infrastructure ...

This is crazy to me. Discord is letting literal criminals use it's corporate services in full view to commit crimes?

by superkuh

2/22/2026 at 3:21:01 PM

[dead]

by newzino