Anti-Abuse Community Braces for What’s Next as Threats Evolve
M3AAWG welcomed prolific botnet investigator, entrepreneur, and college senior Benjamin Brundage to its member-only Engagement Series earlier this month, providing an evidence-based look into a drastic evolution for botnets and proxy networks.
Most importantly, he brought M3AAWG members clear mitigation guidance alongside predictions for what’s next, as botnets scramble to secure proxy providers to latch onto in a heated race for real estate.
Ben was introduced at the start of the webinar by M3AAWG’s DDoS SIG Chair Rich Compton. Rich presented on Aisuru/Kimwolf at the 66th General Meeting of M3AAWG this past February, and members can learn more about that presentation here.
Using the Kimwolf Botnet as a foundational case study, Ben gave M3AAWG members a firsthand account on how we got here while touching on the new actors (JackSkid and Mossad botnets) in the space as well.
The Pivot to Residential Proxies
Benjamin has been researching botnets since high school, and his story recently found its way to the Wall Street Journal and has headlined a series of Krebs on Security blogs.
With his final exams looming before graduation, his one-person startup, Synthient, was formally credited in a March 2026 federal press release announcing the disruption of some of the largest DDoS botnets, including Kimwolf.
As Ben outlined, residential proxies are a more lucrative business model for botnets over DDoS. Proxy access can be resold repeatedly across a sprawling (and increasingly problematic) ecosystem. While major upstream proxy vendors may vet their direct customers, that scrutiny fades with the resellers who sell access to criminals.
"The reseller setup allows upstream sellers to avoid responsibility," Ben said during the webinar.
Ben added that infected households typically have no idea they are participating because white-hat sourcing mechanisms (where a user opts in knowingly) are becoming far less common in favor of:
- Hidden SDK code
- Malware delivered via phishing
- Pirated software containing hidden proxy clients
- Infected low-cost and vulnerable Internet of Things (IoT) devices (like TV streaming boxes and digital picture frames)
Ben has sent several patch notices to the largest residential proxy companies alerting them to close the bugs that the research has unveiled. In response to his notices, many of the providers have introduced patches and blocked port 5555, closing vulnerabilities on their end. Results have been mixed though, as some proxy providers have ignored the warnings entirely.
“The proxy providers and resellers are not going to police themselves, we need regulation,” he said.
M3AAWG Technical Document on Residential Proxies
As law enforcement cuts off botnets by seizing the command and control (C&C) servers, botnet operators are now hiding their C&C infrastructure inside the Ethereum Name Service (ENS) on the blockchain. This has led to an increasingly complicated cat-and-mouse game.
M3AAWG members are currently working on the final touches to a technical document on this exact issue, accounting for all its nuances, twists/turns, and mitigation strategies. If you are a M3AAWG member interested in contributing, please visit our Abuse of Residential Proxy Networks Initiative.
Not a M3AAWG Member? Learn about applying for a membership here. You can stay in the loop by following this blog and social media channels (Facebook and LinkedIn). You can also join M3AAWG at its upcoming 68th General Meeting in Montreal to follow this story’s development.
We also encourage M3AAWG members to join us for future M3AAWG Engagement Series webinar events. If you have questions or suggestions for future content, please reach out to us at engagement@M3AAWG.org.