The College Student—and His Cat Meme—Who Hunted the World’s Biggest Cyberweapon

Sitting in his dorm room at the Rochester Institute of Technology, Benjamin Brundage was closing in on a mystery that had even seasoned internet investigators baffled. A cat meme helped him crack the case.

A growing network of hacked devices was launching the biggest cyberattacks ever seen on the internet. It had become the most powerful cyberweapon ever assembled, large enough to knock a state or even a small country offline. Investigators didn’t know exactly who had built it—or how.

Brundage had been following the attacks, too—and, in between classes, was conducting his own investigation. In September, the college senior started messaging online with an anonymous user who seemed to have insider knowledge.

As they chatted on Discord, a platform favored by videogamers, Brundage was eager to get more information, but he didn’t want to come off as too serious and shut down the conversation. So every now and then he’d send a funny GIF to lighten the mood. Brundage was fluent in the memes, jokes and technical jargon popular with young gamers and hackers who are extremely online.

“It was a bit of just asking over and over again and then like being a bit unserious,” said Brundage.

At one point, he asked for some technical details. He followed up with the cat meme: a six-second clip that showed a hand adjusting a necktie on a fluffy gray cat.

Brundage didn’t expect it to work, but he got the information. “It took me by surprise,” he said.

Eventually the leaker hinted there was a new vulnerability on the internet. Brundage, who is 22, would learn it threatened tens of millions of consumers and as much as a quarter of the world’s corporations. As he unraveled the mystery, he impressed veteran researchers with his findings—including federal law enforcement, which took action against the network two weeks ago.

Chad Seaman, a researcher at Akamai, joked at one point that the internet could go down if Brundage spent too much time on his exams.

One major topic was a fast-growing and often legally dubious business known as residential proxy networks. Dozens of companies around the world run such networks, which are made up of consumer devices like phones, computers and video players.

These “res proxy” companies rent out access to internet connections on the devices to customers who want to look like they’re surfing the internet from a genuine home address.

That kind of access is useful for people who want privacy or for companies that want to masquerade as regular people to test out internet features for particular regions or scrape the web for data (say, a shopping price-comparison site). AI companies use the networks to get around blocks on automated traffic so they can gather large amounts of data to train their models.

Then there are the customers who want to hide their identity while engaging in ticket scalping, bank fraud, bomb threats, stalking, child exploitation, hacking or espionage.

Some device owners willingly sign up to be on these networks so they can make a few dollars a month, but most have no idea they’re connected to one.

At the Denver conference, Craig Labovitz was alarmed. The Nokia executive had been tracking the data flows of the internet’s infrastructure for years, and he knew the network’s data centers, chokepoints and design better than most.

Starting in January 2025, Nokia’s sensors had picked up a series of increasingly powerful cyberattacks coming from devices that hadn’t previously been considered dangerous. Called distributed denial of service, or DDoS, attacks, these were massive floods of junk internet data designed to knock websites offline by overwhelming the data pipes that connected them. These attacks are sometimes launched by extortionists or even business rivals seeking to sabotage computer networks.

Nokia saw hundreds of thousands of devices joining in these attacks. One unprecedented attack later in the year on internet service provider Cloudflare was “comparable to the combined populations of the UK, Germany, and Spain all simultaneously typing a website address and then hitting ‘enter’ at the same second,” Cloudflare said.

The network, which would become known as Kimwolf, seemed to be using residential proxy connections to launch its attacks, giving it the potential to do massive damage.

“The basic message was, ‘Be afraid,’” Labovitz remembers.

Kimwolf included a lot of residential proxy devices that were connected to an enigmatic Chinese company. But something didn’t add up. While “res proxy” networks hosted plenty of malicious traffic, the companies running the networks generally discouraged DDoS attacks. Once a device started participating in a DDoS attack, it would get blacklisted by much of the internet, and that wasn’t good for business.

Others were concerned too, including the Federal Bureau of Investigation and the Department of Defense.

Stuck indoors during the pandemic, Brundage turned to spending long hours on Minecraft, a build-your-own-world videogame that, for many, is a gateway into programming. He learned to build modifications and cheats.

Suddenly he was asking his father, a former Microsoft engineer, to explain obscure Windows file formats.

Brundage found himself immersed in the online culture of trash-talking, memes, boyish jokes and, ultimately, hacking. “I was definitely messing with stuff I probably shouldn’t have at such a young age,” he said. “But then I realized pretty quickly that this would lead me down a bad route.”

Instead he applied his hacking skills toward legitimate cybersecurity research. In his senior year of high school, he found bugs in websites belonging to the Dutch government and reported them via a “bug bounty” program that offered hackers prizes for unearthing security flaws. A few months later, the Dutch National Cyber Security Center mailed him his bounty: a black T-shirt. It read: “I hacked the Dutch government and all I got was this lousy t-shirt.”

He remembers it as one of the most rewarding experiences of his young life: a “dopamine rush,” he said.

Inspired, Brundage became obsessed with web scrapers—automated programs that hoover up vast amounts of web data for analysis. That led him to look into residential proxy networks. By the end of his college sophomore year, he was meticulously cataloging them.

Like Nokia’s Labovitz, he had become fixated on the Chinese company behind the res proxy network connected to Kimwolf. The company, called Ipidea, didn’t list a chief executive or founder on its website; it didn’t even have an address. It appeared to be operating under more than a dozen business names.

Ipidea didn’t respond to requests for comment for this article. A spokeswoman told The Wall Street Journal earlier this year that the company “always explicitly opposed any form of illegal or abusive conduct” on its network.

Brundage would get up at 4 a.m. and untangle the complex international network of consumer devices making up Ipidea. Working at a desk in his dorm room, he spent hours identifying the IP addresses—numerical labels, similar to phone numbers, assigned to devices—connected to the network. Then he’d go to class. “My sleep schedule is super, super weird,” he said.

Some nights, his friends would go bowling or go to parties. Brundage often missed out. By August he had created his own one-man company, Synthient, and was selling his list of associated IP addresses to warn companies of fraud.

In an effort to promote his company in September, Brundage posted a link to a tool he had created in a Discord chat set up for web-scraping research. The tool let people see if their IP addresses were on Synthient’s list.

A week later, Brundage got a message on Discord saying his list was missing some IP addresses. “You can’t detect all of them,” the user wrote before sending a few screenshots proving the case.

“He’s bragging,” Brundage thought. It was time for the cat meme.

Formosa was part of a working group called Big Pipes, which included dozens of employees from some of the internet’s most important service providers. When a DDoS attack happened, the Big Pipes wizards usually knew how the attack was being carried out and the software behind it.

But Kimwolf caught them flat-footed. Formosa had been at the Denver meeting, and by October Big Pipes still hadn’t cracked the mystery. Kimwolf seemed to be using Ipidea’s network, but how? Were they a customer?

Brundage told Formosa what he’d learned from his Discord chat, and about how much of Ipidea he had already mapped out.

“I’d been working on Ipidea for almost two years,” Formosa said. “It was just wild to hear this college student had so much info on them.”

Within a week, Brundage was popping up on Big Pipes’ weekly conference call, sharing what he knew.

One of the companies participating in Big Pipes soon got hit with a cyberattack from Kimwolf. Studying the data, engineers from the company realized that some of the malicious traffic was coming from an employee’s home address. They tracked the source of the attack to a device: a digital picture frame that had fired off hundreds of thousands of junk data packets.

The frame, from a brand called Apofial, sold on Amazon for just under $50. Amazon said the product has been out of stock since last year and that it takes action when it confirms a third-party product is infected with malware. Apofial couldn’t be reached for comment.

The frame had become part of Kimwolf…but how?

Sometimes Brundage would simply ask for information.

Amazingly, he got answers. Kimwolf’s operators had a residential proxy network themselves that was somehow linked to Ipidea’s. They were technically creative but they seemed young, and they had associates who blabbed about their exploits. Brundage learned that Kimwolf’s operators spent about $30,000 a month just to run the servers that were the brains of their botnet (or network of hacked computers). That meant it was massive.

Seaman, the Akamai researcher and a Big Pipes member, couldn’t believe what Brundage was picking up. By the end of October, Seaman had a pretty good idea of how Kimwolf was sneaking onto Ipidea’s networks. Brundage wanted a smoking gun.

Brundage installed Ipidea’s software, downloading it from a website that offered pirated streaming apps, and put it on an Android phone he could monitor. On Nov. 16—right in the middle of midterms—Brundage saw his phone communicating with a domain that Kimwolf’s creators had set up.

Peeling back the layers, he and the Big Pipes team discovered a bug in Ipidea’s code. The Ipidea software was a gateway for hackers.

Ipidea and Kimwolf’s operators weren’t partners. Kimwolf was paying for access to Ipidea’s residential proxy devices and installing their own residential proxy software on them that allowed DDoS attacks. They then sold access to paying customers—cybercrime as a service.

Brundage eventually counted around 2 million of these hacked devices, with tens of thousands of new ones being added every day. They were all Android devices: video-streaming systems, phones, cameras and, of course, digital picture frames. The most popular was a streaming device available online for under $36.

(This story explains how to tell if you might be affected.)

Now the investigators had to warn the world.

But first, he had to complete his finals.

The day after his last test, on Dec. 17, Brundage sent out the emails. Five days later, he got on a plane to fly to Mexico for Christmas vacation, where he was sick with the flu almost the entire time. Christmas came and went without a DDoS disaster.

On the 26th, Brundage got an email from Ipidea apologizing. His email had gone into a spam folder, but they were fixing the problem.

The Ipidea spokeswoman previously told the Journal the company “once adopted relatively aggressive market expansion strategies,” but later tightened up its business practices.

A week later, security blogger Brian Krebs published a story highlighting Brundage’s research on Kimwolf’s origin. Within hours, Renée Burton, the head of threat intelligence at networking company Infoblox, was texting Brundage. She was astonished to discover that a quarter of her corporate clients had been infected with the Kimwolf software.

The hackers hadn’t only unlocked a back door into millions of home networks—they had also created a way to break into thousands of corporations. A more sophisticated hacker could have stolen corporate secrets, installed ransomware or created a back door to return to the network, Brundage said.

Burton still isn’t sure how so many corporate clients were affected. It could be that companies were running pre-infected streaming devices, or that employees had residential proxy software on phones or tablets behind corporate firewalls. “We’ve learned so much since October that it seems we’re just scratching the surface,” she said.

In January, Google used a U.S. court order to aim a knockout blow at Ipidea. Google last year identified more than 10 million Android devices that came with Ipidea’s residential proxy software secretly pre-installed. It took legal action to take down 13 of the company’s business domains and shut down dozens of servers Ipidea used to run its residential proxy network.

On March 19, federal authorities announced they’d disrupted four of the world’s largest DDoS botnets, including Kimwolf. Kimwolf had launched more than 26,000 DDoS attacks targeting over 8,000 victims, according to a court filing. The press release announcing the takedown thanked Brundage’s company, Synthient, among others.

​Industry experts say that Kimwolf today is a shadow of its former self. The cybersecurity firm Netscout says it’s seeing about 30,000 Kimwolf machines active at any given time.

Brundage recently got a text message from a federal official on the case. The official had heard about the bug bounty Brundage got from the Dutch government years ago and had a question: “What’s a good address to mail you a t-shirt, and what’s your size?”

Also read: A Sneaky Back Door Lets Hackers Into Your Home. Here’s How to Protect Yourself.