1. Headline & intro
Your home router is now valuable real estate in the criminal economy. Not because of what’s on your laptop, but because of your clean residential IP address and unlimited data plan. The newly disclosed KadNap botnet, which has quietly hijacked around 14,000 routers, shows just how far attackers — and shady commercial proxy services — will go to get it.
In this analysis, we’ll look beyond the technical novelty of KadNap’s peer‑to‑peer design to what really matters: the broken economics of consumer networking, the rise of "residential proxy" businesses built on hacked hardware, and what this means for regulators and users in Europe.
2. The news in brief
According to Ars Technica, researchers at Lumen’s Black Lotus Labs have documented a new botnet dubbed KadNap that has infected roughly 14,000 routers and other network devices on any given day.
Most compromised devices are Asus routers, primarily located in the United States, with smaller clusters seen in Taiwan, Hong Kong, and Russia. Black Lotus Labs says the malware spreads by abusing known, unpatched vulnerabilities, rather than unknown zero‑day flaws.
KadNap’s standout feature is its peer‑to‑peer command‑and‑control based on a variant of the Kademlia distributed hash table (DHT) protocol. Instead of talking to a central server, infected routers collaborate to route commands, making traditional takedown techniques much less effective.
The hijacked routers are being used to provide bandwidth and IP addresses to Doppelganger, a fee‑based proxy service that sells anonymous access through mostly residential connections. To remove the malware, owners must factory reset their devices and install the latest firmware, as a script ensures the infection survives a simple reboot.
3. Why this matters
KadNap is not the biggest botnet we’ve ever seen. In raw size, it’s modest compared to giants like Mirai at its peak. But its design and business model make it a warning sign for where router abuse is heading.
Winners and losers.
The obvious losers are everyday users whose routers have been quietly turned into infrastructure for cybercrime. They pay the electricity and bandwidth; someone else collects the proxy fees. Asus takes a reputational hit, but in truth every router vendor with slow patching and weak update mechanisms is implicated.
The silent winners are:
- Residential proxy operators, who can claim "real user IPs" while turning a blind eye to how those IPs were sourced.
- Criminal customers buying access to these proxies for credential‑stuffing, ad fraud, scraping, or accessing blocked services.
- Attackers who specialise in IoT exploitation, now able to plug straight into a commercial monetisation channel instead of building their own.
The fundamental problem KadNap exposes is not just one botnet, but a structural failure in how home networking gear is designed, sold, and maintained:
- Routers ship with long‑lived vulnerabilities and clumsy update mechanisms.
- Many devices reach "support end‑of‑life" while still in active use by ISPs and consumers.
- Default configurations often expose remote administration or other services to the Internet.
KadNap’s peer‑to‑peer architecture raises the stakes further. Law‑enforcement‑led takedowns that worked against previous, centralised botnets become much harder when there is no single command server to seize or sinkhole.
In short, this is less about one malware strain and more about a maturing ecosystem where:
- Router exploits are traded like commodities,
- Decentralised control hides the botnet’s brain, and
- Proxy marketplaces provide clean, legal‑looking payment rails on top.
4. The bigger picture
KadNap slots neatly into several wider trends in cybercrime and network infrastructure.
From DDoS to "infrastructure as a service".
Early IoT botnets such as Mirai mainly rented out firepower for DDoS attacks. Later operations like VPNFilter showed that compromised routers can be used for far subtler purposes: traffic interception, espionage and, crucially, proxying.
The modern twist is the industrialisation of this idea. We now have an entire grey‑market industry of "residential proxy" and "mobile proxy" services. Some are legitimate, based on user‑consented SDKs or opt‑in bandwidth sharing; others have repeatedly been caught leaning on hacked devices. KadNap, feeding routers into the Doppelganger proxy service, is part of that continuum.
Decentralisation as a defensive weapon.
Botnet operators learned from high‑profile law‑enforcement takedowns of centralised malware like Emotet or Gameover Zeus. Building command‑and‑control around protocols like Kademlia DHT means:
- No single IP or domain reveals the botnet’s "head".
- Even if some nodes are cleaned up or blocked, the rest can still route commands.
- Mapping the full topology becomes far more labour‑intensive for defenders.
This is not a theoretical trend; we’ve seen variants of this in P2P botnets for over a decade. KadNap is significant because it applies that resilience specifically to consumer routers feeding a commercial proxy network.
Intersection with the AI and data economy.
There is also an indirect link to the AI boom. Mass data scraping for model training and for building competitive intelligence increasingly relies on:
- Avoiding IP‑based rate limits,
- Bypassing geofences,
- Looking like normal residential traffic.
Residential proxies — whether ethical or not — are perfect for this. While we don’t know exactly how Doppelganger’s customers use KadNap‑backed IPs, the incentives are clear: anything that needs scale + stealth on the modern web gravitates to such infrastructure.
KadNap therefore sits at the crossroads of three economies: malware, traffic reselling, and data‑hungry automation.
5. The European / regional angle
The current KadNap infections are concentrated in the US and parts of Asia, but Europe should not feel reassured.
First, Asus and similar routers are widely deployed across EU households and small offices. Many are sold via ISPs who control firmware distribution. That creates both a risk and an opportunity:
- If ISPs drag their feet on updates, thousands of European subscribers can be silently pulled into similar botnets.
- Conversely, proactive ISPs can push patched firmware and block known command‑and‑control patterns at the network edge, as Black Lotus Labs has suggested.
Second, EU regulation is moving towards security‑by‑design for connected devices. The Cyber Resilience Act, NIS2, and, indirectly, GDPR all create pressure on vendors and service providers to treat router insecurities as a compliance and liability issue, not just an IT nuisance.
For privacy‑conscious markets like Germany or the Netherlands, the idea that your "clean" IP might be used for fraud or intrusion elsewhere is politically toxic. We can expect:
- National cybersecurity agencies (like BSI in Germany, ANSSI in France, ENISA at EU level) to publish guidance and blocklists.
- Consumer‑protection authorities to scrutinise router vendors and proxy operators under unfair‑commercial‑practice rules.
Third, there is a competitive angle. European network and security vendors have an opening to differentiate with:
- Routers that auto‑update securely for a guaranteed minimum support period,
- Built‑in anomaly detection for outbound connections,
- Clear labeling and certification that devices will receive timely security fixes.
If Europe wants "digital sovereignty", it cannot ignore the fact that its broadband access layer is increasingly part of someone else’s criminal infrastructure.
6. Looking ahead
KadNap is unlikely to be the last — or the largest — router botnet we hear about this decade. Several trajectories seem plausible over the next 12–24 months.
1. More P2P, more stealth.
The relative success of KadNap’s DHT‑based control will encourage copycats. Expect:
- More use of mature P2P protocols (BitTorrent variants, custom DHTs) for botnet coordination.
- Blending C2 traffic with legitimate P2P or CDN traffic to frustrate simple blocking.
2. Focus on the monetisation layer.
Law enforcement may find it easier to hit proxy service operators like Doppelganger than the botnet code itself. Disrupting payment processors, domains, and marketing sites for these services can make the underlying botnet less profitable.
We’ve already seen takedowns of other shady proxy providers in recent years; KadNap will likely accelerate regulatory interest in this grey market.
3. Regulatory and market pressure on router vendors and ISPs.
Expect:
- Tougher requirements for automatic security updates and clear end‑of‑support dates.
- ISPs to be nudged (or forced) to monitor for mass compromise patterns in customer CPE.
- Possibly, civil litigation when compromised routers are repeatedly used in high‑profile attacks.
4. Collateral damage concerns.
Network‑wide blocking of KadNap’s C2 patterns, as proposed by Black Lotus Labs, is powerful but blunt. If botnet traffic is cleverly overlaid on top of legitimate P2P protocols, aggressive filtering could hurt genuine services, from file‑sharing to decentralised storage.
The open question is whether industry and regulators can coordinate quickly enough to avoid a future where millions of routers, not just 14,000, are enrolled in resilient, DHT‑based proxy botnets.
7. The bottom line
KadNap is a relatively small botnet with outsized significance. It shows how neglected home routers, decentralised control protocols, and a booming proxy market combine into infrastructure that is hard to kill and easy to monetise.
For European users and policymakers, the message is clear: consumer networking gear is now part of critical infrastructure, and leaving it insecure has real cross‑border consequences. The question is whether we treat this as a one‑off curiosity — or as the signal to finally fix the economics of routers before the next, bigger KadNap arrives.
