Every major botnet takedown of the past decade has followed roughly the same playbook: crawl the network to enumerate nodes, flood the peer lists with sinkhole addresses, and seize the command-and-control infrastructure. It works—sometimes. But within hours of the December 2023 FBI disruption of the KV-botnet used by China's Volt Typhoon, operators were already restructuring. Within days of each Kelihos/Hlux sinkhole operation, a fresh instance appeared. There is a structural reason for that, and graph theory has already identified a more surgical fix. The operational community just hasn't used it yet.
This article has been updated to include Operation Endgame Season 2 (May 2025) and Season 3 (November 2025) with DOJ DanaBot indictment detail and Shadowserver Rhadamanthys infection statistics, a precision correction to SecurityScorecard's observation window (December 1, 2023 through January 7, 2024), updated NIST SP 800-61 reference from Rev. 2 to Rev. 3 (published April 2025), a correction to the Wray/Volt Typhoon quote attribution, the addition of the KadNap botnet (March 2026) as a proxy marketplace case study, improved source citations with SecurityScorecard November 2024 reconstitution report, and cumulative Endgame cryptocurrency seizure totals.
T1584.005 Compromise Infrastructure: Botnet — Adversaries compromise third-party systems to form botnets. The core infrastructure model described in this article.
T1584.008 Compromise Infrastructure: Network Devices — Compromising SOHO routers and network appliances, as documented in the KV-botnet's recruitment of end-of-life Cisco and Netgear devices.
T1090.003 Proxy: Multi-hop Proxy — Chaining compromised devices as relay proxies to obscure C2 origin. Volt Typhoon's operational architecture and the P2P overlay topology central to this article.
T1583.003 Acquire Infrastructure: Virtual Private Server — Volt Typhoon's pre-positioned fallback infrastructure at Digital Ocean, Quadranet, and Vultr, providing out-of-band redundancy beyond the P2P graph.
C0035 KV Botnet Activity — The MITRE-cataloged campaign covering Volt Typhoon's exploitation of end-of-life SOHO equipment from Cisco, Netgear, and DrayTek for critical infrastructure reconnaissance proxy operations.
G1017 Volt Typhoon — The PRC state-sponsored group whose KV-botnet operations serve as the primary case study throughout this article.
NIST SP 800-61 Rev. 3, Incident Response Recommendations and Considerations for Cybersecurity Risk Management — Supersedes Rev. 2 (April 2025). Aligns incident response with the NIST Cybersecurity Framework 2.0 Functions (Govern, Identify, Protect, Detect, Respond, Recover). The five-phase articulation-point operation described in Section 6 maps to the Detect, Respond, and Recover Functions of this updated framework.
NIST SP 800-83 Rev. 1, Guide to Malware Incident Prevention and Handling — Covers malware containment and eradication procedures relevant to botnet sinkhole operations and post-partition fragment management.
NIST SP 800-40 Rev. 4, Guide to Enterprise Patch Management Planning — Addresses the end-of-life device patching failures that created the SOHO router attack surface exploited by the KV-botnet and other P2P botnets discussed here.
Peer-to-peer botnets were designed specifically to resist the kind of takedown that works against centralized infrastructure. There is no single server to seize, no single domain to sinkhole. The resilience comes from the distributed graph topology itself: remove one node, and the remaining peers route around the gap. Law enforcement and researchers have adapted by poisoning the graph rather than simply seizing its core—flooding peer lists with sinkholeSinkholeAn infrastructure controlled by defenders that mimics a botnet node. Bots directed to a sinkhole connect to defender-controlled servers instead of operator infrastructure, allowing monitoring and command interception. See also: how defenders use sinkhole data.-controlled addresses until the legitimate operator loses the ability to issue commands. That technique produced real results against Dridex, Gameover Zeus, and the Hlux family. But it treats every node as equally valuable, and they are not. Researchers in graph theory and network science have known for decades that certain nodes in any connected graph are structurally irreplaceable: remove them and the graph fractures into isolated subgraphs that can no longer communicate. Those nodes are called articulation pointsArticulation PointA node (vertex) in a graph whose removal increases the number of connected components — splitting the network into isolated subgraphs. Also called a cut vertex., and no large-scale operational takedown has yet deliberately targeted them during the poisoning phase.
How P2P Botnets Are Modeled as Graphs
The formalization of P2P botnets as graph objects has been rigorous since at least the foundational IEEE Symposium on Security and Privacy paper by Rossow, Andriesse, Werner, Stone-Gross, Plohmann, Dietrich, and Bos in 2013. Their work, known in the research community as SoK: P2PWNED, introduced a formal graph model specifically to capture the intrinsic properties and fundamental vulnerabilities of P2P botnets, applying it to eleven active P2P botnet families then in circulation.
In that model, each infected host is a vertex. Each established peer connection is an edge. The resulting undirected or directed graph encodes everything operationally relevant: how commands propagate, how quickly a removal instruction would spread, how resistant the network is to random node failure (churnChurnThe continuous process of bots joining and leaving the botnet as infected machines reboot, get patched, or go offline. High-churn botnets must maintain resilience despite constant node turnover.), and—crucially—how resistant it is to targeted node removal. Those last two properties behave very differently from each other, and that difference is the theoretical foundation for articulation-point targeting.
Rossow et al. established in SoK: P2PWNED that P2P botnets, lacking any central point of failure, resist the takedown approaches that work against centralized infrastructure — yet their peer-list architecture creates its own exploitable attack surface through "node enumeration and poisoning." IEEE Symposium on Security and Privacy, 2013.
The distinction between random failure resilience and targeted attack resilience is not subtle. Scale-free network topologiesScale-Free TopologyA network where most nodes have few connections while a small number of hubs have very many. This follows a power-law degree distribution. Robust against random failure but fragile under targeted hub removal., which approximate the peer-list structures seen in botnets like Sality and ZeroAccess, are highly robust against random node removal because the probability of hitting a high-degree hub at random is low. But they are fragile under targeted removal of those same hubs. Unstructured P2P botnets that form closer to random network topologies distribute degree more evenly, making hub-targeting less effective but making articulation-point targeting more relevant: in a near-random topology, cut vertices and bridges exist precisely because of the local connectivity gaps that uniform degree distribution creates.
Researchers have built tooling to empirically map these topologies in the wild. The Strobo-Crawler, described in subsequent work by Karuppayah, Fischer, Rossow, and Mühlhäuser, enabled high-frequency crawling of Sality and ZeroAccess to derive accurate graph snapshots from restricted monitoring data. That kind of snapshot is exactly what an articulation-point algorithm requires as input.
In practice, the nodes that become articulation points in a real botnet graph are not random. They tend to cluster around a specific device and network profile. Long-uptime hosts with stable IP addresses — SOHO routers, NAS devices, home servers running continuously on residential broadband — accumulate peer connections over time in a way that short-lived laptops do not. A bot that has been running undetected for eighteen months on a fixed residential IP will have been discovered by a larger fraction of the overlay network than a bot that joined last week. It will have been written into more peer lists. Its degree will be higher. And if it sits on the geographic or network-layer boundary between two clusters of infected machines — one concentrated in one country, another across an ocean — it may be the only high-degree node that spans both populations. That structural position, which is a product of uptime, fixed addressing, and geographic network topology, is exactly the profile that produces a cut vertex. This is not hypothetical: the KV-botnet specifically recruited end-of-life Cisco and Netgear routers for this purpose. Devices that owners never reboot, never patch, and never monitor produce exactly the kind of stable, high-connectivity anchor nodes that hold a P2P overlay together across geographic partitions — and that Tarjan's algorithm would flag immediately on a sufficiently complete crawl.
A connected graph is one where a path exists between every pair of vertices. An articulation point (also called a cut vertex) is any vertex whose removal increases the number of connected components—meaning some vertices lose the ability to reach others. A bridge (or cut edge) is any edge whose removal has the same effect. Botnets with articulation points or bridges have hidden structural fault lines that uniform poisoning ignores entirely.
What Articulation Points Are and Why They Matter
Formally, an articulation point is a vertex v in a connected undirected graph G such that removing v (and all edges incident to it) increases the number of connected components of G. If the graph was previously connected and removing v leaves two or more disconnected subgraphs, then v is an articulation point. Bridges generalize this concept to edges: a bridge is an edge whose removal disconnects the graph. From a botnet disruption perspective, articulation points are nodes through which all communication between two portions of the botnet must pass. If a poisoned or sinkholed peer occupies an articulation point, the two subgraphs on either side of it are fully isolated from each other and from the botmaster simultaneously.
The algorithm for identifying articulation points efficiently was established by Robert Tarjan in his landmark 1972 paper, "Depth-first search and linear graph algorithms," published in the SIAM Journal on Computing. Tarjan's algorithm performs a single depth-first search (DFS)Depth-First Search (DFS)A graph traversal that explores as far as possible along each branch before backtracking. DFS assigns discovery timestamps that reveal the structural hierarchy of the graph, which is how Tarjan's algorithm identifies cut vertices. traversal of the graph, assigning each vertex a discovery timestamp and a low-link value. The low-link value of a vertex u represents the earliest discovery time reachable from u by traversing DFS tree edges downward and at most one back edge upward. A vertex u is an articulation point if it is the root of the DFS tree and has two or more children, or if it is not the root and has a child v such that no vertex in the subtree rooted at v has a back edge to any ancestor of u. This condition is expressed as low[v] >= disc[u]. The entire algorithm runs in O(V + E) time—linear in the size of the graph, making it tractable even for networks with hundreds of thousands of nodes.
# Conceptual pseudocode: Tarjan's articulation point detection
# Input: adjacency list of crawled botnet graph
# Output: set of cut vertices
function dfs(u, parent):
visited[u] = true
disc[u] = low[u] = timer++
child_count = 0
for each neighbor v of u:
if not visited[v]:
child_count++
dfs(v, u)
low[u] = min(low[u], low[v])
# Articulation point condition (non-root)
if parent != -1 and low[v] >= disc[u]:
mark u as articulation point
# Articulation point condition (root)
if parent == -1 and child_count > 1:
mark u as articulation point
elif v != parent:
low[u] = min(low[u], disc[v]) # back edgeThe practical implication for botnet takedowns is significant. Standard poisoning floods the entire peer list of every enumerated bot with sinkhole addresses, hoping to overwhelm the legitimate peer lists over time. This is an attrition strategy. Articulation-point poisoning is a precision strategy: identify the small set of nodes whose removal partitions the graph, concentrate sinkhole injection on those nodes first, and the network fractures into isolated islands that can then be handled individually.
The subgraphs resulting from the removal of articulation points cannot communicate with each other, meaning command propagation from the botmaster is cut even if many ordinary peers remain unaffected. For botnets with small-world or scale-free properties, betweenness centralityBetweenness CentralityA measure of how often a node lies on the shortest path between other pairs of nodes. High-betweenness nodes control the flow of information across the network. Computationally expensive at O(V * E), unlike Tarjan's linear-time approach. tends to be highly correlated with articulation-point status — but betweenness is computationally expensive at O(V * E). Tarjan's algorithm delivers the same targeting information in linear time.
Sophisticated botnet operators have implicitly responded to graph-theoretic analysis by designing topologies without articulation points. If every pair of vertices in the botnet graph has two vertex-disjoint paths between them, the graph is biconnected and has no cut vertices. Botnet construction algorithms that enforce minimum degree and distributed peer selection can approximate biconnectivityBiconnected GraphA graph where every pair of vertices has two vertex-disjoint paths between them. Removing any single vertex leaves the graph connected. A biconnected botnet has no articulation points.. Against a biconnected botnet, articulation-point poisoning has nothing to target—which means defenders must fall back to betweenness-centrality-based targeting or reinforcement-learned sequential removal.
The Gap Between Research and Real Takedowns
The operational record of major botnet takedowns shows a clear and consistent pattern: poisoning is deployed as a uniform broadcast, not a targeted strike. The Dridex takedown in 2015, conducted by Dell SecureWorks Counter Threat Unit researchers in collaboration with the UK National Crime Agency, the FBI, and the Shadowserver Foundation, involved poisoning each sub-botnet's P2P network and redirecting infected systems to a sinkhole. The technical strategy was effective enough to disrupt operations, but the approach treated the peer network as a uniform mass rather than a structured graph with identifiable fault lines. The sub-botnet partitioning that Dridex's operators had already built into the architecture—affiliates each controlling their own subset of bots—was exploited by defenders who seized the backend C2 servers, not by graph analysis of the P2P layer itself.
The Kelihos/Hlux operations illustrate the durability problem most vividly. Kaspersky Lab, CrowdStrike, the Honeynet Project, and Dell SecureWorks sinkholed Hlux version 2 in March 2012 by poisoning the P2P network. The criminal operators abandoned that instance and rebuilt. Hlux 3 appeared within twenty minutes, according to Kaspersky's published post-mortem. A third operation was conducted live at RSA Conference 2013 by CrowdStrike. The pattern—poison, disrupt, rebuild—demonstrates that uniform poisoning without topological targeting gives the operator time to reconstruct.
"The criminals quickly rebuilt their botnet and Hlux 3 was born—within 20 minutes." — Kaspersky Lab, post-mortem analysis of the Hlux/Kelihos sinkhole operations
The KV-botnet case from 2023 and 2024 follows the same arc, but at state-actor speed. On December 6, 2023, the FBI obtained a court-authorized warrant and began transmitting commands to US-based routers to sever their connection to the botnet. Volt Typhoon responded within two days: on December 8, Black Lotus Labs/Lumen observed eight straight hours of restructuring activity, followed by nearly ten hours of renewed activity on December 9, as operators interacted with over 3,045 unique IP addresses attempting to rebuild the peer network. By mid-January 2024, when the DOJ publicly announced the disruption, the active bot count had dropped from approximately 1,500 to roughly 650—a significant reduction, but not elimination.
At the January 31, 2024 congressional hearing before the House Select Committee on the Chinese Communist Party, FBI Director Christopher Wray stated in his prepared remarks that the CCP's actions against US national and economic security make it "the defining threat of our generation." In those same remarks, Wray announced the disruption operation and characterized Volt Typhoon's malware as giving China the ability to target American communications, energy, transportation, and water infrastructure. The hearing produced the most explicit public accounting to date of how state-sponsored actors were using compromised SOHO routers—end-of-life Cisco and Netgear devices—as a distributed proxy layer for critical infrastructure reconnaissance.
The speed at which Volt Typhoon responded after the December 2023 FBI disruption highlights the central problem with uniform poisoning: it does not permanently destroy the topology. An operator who can re-enumerate surviving nodes and re-establish peer connections can restore command propagation without re-infecting any hosts. Articulation-point poisoning complicates this because the topological chokepoints—once identified and saturated with sinkhole traffic—prevent the two halves of the network from seeing each other during the rebuild window. SecurityScorecard's STRIKE Team documented Volt Typhoon's persistence across two reports: a January 2024 analysis showed the group had compromised approximately 30% of all internet-exposed Cisco RV320/325 routers within a 37-day observation window spanning December 1, 2023 through January 7, 2024, and a November 2024 follow-up confirmed Volt Typhoon had fully reconstituted its botnet infrastructure using new command servers on Digital Ocean, Quadranet, and Vultr.
Operation Endgame, announced by Europol on May 30, 2024, and described as the largest operation ever against botnets, disrupted infrastructure for Bumblebee, IcedID, Pikabot, SystemBC, SmokeLoader, and Trickbot across a three-day window spanning May 27–29, 2024. The operation resulted in four arrests, more than 100 server seizures across ten countries, and the seizure of over 2,000 domains. But the botnets targeted were predominantly those with centralized or hybrid architectures, where infrastructure seizure is the decisive action. Pure P2P architectures without centralized backend infrastructure are harder to permanently destroy by the same methods, because there is no infrastructure layer to seize—only the graph topology to disrupt.
Endgame has since expanded into an ongoing law enforcement framework. Season 2, with enforcement actions running May 19–22, 2025, and formally announced May 23, 2025, took down approximately 300 servers worldwide, neutralized 650 domains, and issued international arrest warrants against 20 individuals connected to Bumblebee, Latrodectus, DanaBot, HijackLoader, and WarmCookie operations, with additional indictments against individuals linked to Qakbot and Trickbot. The U.S. DOJ separately unsealed charges against 16 individuals in the DanaBot operation, which had infected over 300,000 computers globally and caused an estimated $50 million in damages. Authorities also seized approximately €3.5 million in cryptocurrency during the action week, bringing the total seized across all Endgame phases to over €21.2 million. Season 3, conducted between November 10–13, 2025, targeted the Rhadamanthys infostealer, the VenomRAT remote access trojan, and the Elysium botnet, resulting in the seizure of 1,025 servers and 20 domains, the identification of several million stolen credentials, and the arrest of the main VenomRAT suspect in Greece on November 3, 2025. The Shadowserver Foundation reported over 525,000 unique Rhadamanthys infections across 226 countries between March and November 2025. The evolution from a one-time strike to a serial, intel-driven operation reflects exactly the kind of sustained pressure that articulation-point analysis could theoretically amplify—but each phase has still relied on infrastructure seizure rather than topological graph targeting as its primary mechanism.
PeerRemove and the Shift Toward Learned Node Targeting
The academic literature has moved well beyond static graph metrics toward dynamic, learned approaches to critical node identification. The most technically sophisticated recent entry is PeerRemove, published in Computers & Security (Volume 128, 2023) by Xing, Shu, and Kang. PeerRemove abstracts the botnet node removal problem as a critical node ordering problem on graphs and trains a model using Structure2vec graph embedding combined with n-step Q-learning (S2V-DQN) to learn which nodes to remove sequentially in order to minimize the size of the Largest Connected Component (LCC)Largest Connected Component (LCC)The biggest subgraph in which every node can reach every other node. In botnet disruption, reducing LCC size as fast as possible is the primary goal — smaller LCC means fewer bots the operator can command simultaneously. as quickly as possible.
Xing, Shu, and Kang noted that classical node-importance metrics — degree, betweenness, clustering coefficient, PageRank, and eigenvector centrality — treat the problem as static ranking, missing the dynamic, sequential nature of live botnet disruption. Computers & Security, Volume 128, 2023.
What makes PeerRemove notable is that it is protocol-agnostic and topology-agnostic. It was evaluated against six real or synthetic P2P botnet topologies: Sality, ZeroAccess, NSIS.ay, Mozi, Gnutella, and a peer sampling service network. Across all six, PeerRemove's sequential removal strategy produced a lower Area Under the Curve for LCC size than five competing classical methods: degree-based attack (HAD), PageRank, collective influence (CI), betweenness-percolation decomposition (BPD), and high-performance reinforcement-based attack (HPRA). The lower AUC means the network fractures faster with fewer nodes removed.
This matters operationally because enumeration of a live botnet graph is never complete. A defender can realistically identify perhaps 60 to 80 percent of active nodes before the topology shifts due to churn. Articulation points in the observed subgraph may or may not correspond to articulation points in the full graph. PeerRemove's approach, by learning from the remaining botnet state sequentially at each step, adapts to incomplete information in a way that a static Tarjan computation on an incomplete crawl cannot. The two approaches are complementary rather than competing: Tarjan identifies structural vulnerability in the portion of the graph that has been mapped; reinforcement-learning-based methods approximate the best removal sequence when the full topology is unknown.
A separate and earlier line of work, the Purdue graph-theoretic isolation framework by Jaikumar and Kak (published in Security and Communication Networks), approached the problem from the opposite direction: rather than poisoning articulation points to partition the botnet, it proposed network-level isolation of the biconnected components of the botnet graph, with each component treated as a unit for quarantine. A biconnected component is a maximal subgraph with no articulation points—every pair of vertices in the component has two vertex-disjoint paths between them. Partitioning the botnet at its articulation points yields exactly these biconnected components as the residual isolated fragments. The Jaikumar-Kak framework formalized the relationship between articulation-point identification and practical isolation at the network perimeter level.
The research direction attracting the sharpest academic attention as of 2026 is the combination of graph neural networks with botnet topology inference. A February 2024 paper in Computers & Security introduced PeerG, a P2P botnet detection method based on representation learning and graph contrastive learning, explicitly designed for botnets with complex topology and communication behavior. The capability to infer topology from partial traffic observation without full crawl access is a prerequisite for making articulation-point targeting practical under operational time constraints.
Big data approaches have also entered the picture. Work combining behavioral analytics with graph-theoretic notions, validated against the Carna botnet dataset and darknet traffic, demonstrated that the structural "niche" of a botnet—the cluster of nodes most active in command-and-control communication and infection propagation—bears a direct structural relationship to the articulation points and bridges of the communication graph. The nodes responsible for the heaviest C2 traffic are disproportionately likely to be sitting on topological chokepoints, making behavioral analytics and graph-theoretic targeting mutually reinforcing rather than alternative approaches.
Operational Approaches the Literature Has Not Consolidated
The methods above—PeerRemove, PeerG, and behavioral-graph correlation—represent the academic frontier. But they leave a set of concrete operational mechanisms largely unaddressed. These are not theoretical proposals waiting for future research; they are capabilities that exist today in production network infrastructure and have simply never been applied to graph-theoretic botnet targeting.
Temporal articulation-point tracking. The article's central barrier—that a static Tarjan pass on a stale crawl produces unreliable targets—has a direct mitigation that the literature treats as implicit but never operationalizes. Rather than computing articulation points once and treating the output as a target list, defenders should run continuous low-rate crawls and compute AP deltas across sliding time windows. A node that Tarjan flags as an articulation point in 80 percent or more of snapshots taken over a 30-day observation period is a structural invariant, not a churn artifact. The intersection of articulation-point sets across snapshots converges on the botnet's genuine topological fault lines. This temporal filtering directly addresses both the stale-topology problem (the map is continuously refreshed, not computed once and left to age) and the false-positive problem (transient APs that appear in a single snapshot but disappear in the next are automatically excluded). The computational cost is negligible: Tarjan runs in O(V + E) on each snapshot, and the intersection operation is a simple set comparison. No new algorithm is required—only a change in the operational cadence of how existing algorithms are applied.
k-vertex cut targeting for biconnected topologies. When Tarjan's algorithm returns an empty set against a biconnected botnet graph—the situation the article identifies as the third adoption barrier—the standard fallback is betweenness centrality, which is computationally expensive at O(V × E) and produces a ranking rather than a partition guarantee. A more precise fallback exists. Algorithms for computing minimum k-vertex cuts—the smallest set of k nodes whose simultaneous removal disconnects the graph—can identify 2-vertex or 3-vertex cut sets in graphs that have no single cut vertex. The Kanevsky algorithm, for instance, enumerates all minimum vertex cuts in O(V2 × E) time. Against a biconnected botnet with 50,000 nodes, this is computationally tractable on modern hardware and produces an exact set of nodes to target simultaneously rather than a ranked list of candidates. A botnet that has been engineered to eliminate all single-vertex articulation points may still have a small set of two or three nodes whose coordinated removal produces a partition. The operational requirement shifts from removing one node to removing two or three simultaneously—harder, but far more achievable than the hundreds or thousands of nodes required for uniform poisoning.
BGP-level selective null-routing at the carrier layer. ISPs already deploy Remotely Triggered Black Hole (RTBH) routing as a standard DDoS mitigation tool. The mechanism is well understood: an ISP announces a /32 host route with a well-known blackhole BGP community string to its upstream peers, causing all traffic destined for that IP to be dropped at the network edge. This same mechanism can surgically null-route a specific botnet articulation-point node's IP address without affecting any other traffic on the carrier's network. No court authorization is required for an ISP to null-route traffic on its own infrastructure. The operational gap is not technical capability—every Tier 1 and Tier 2 carrier has RTBH infrastructure deployed—but the absence of any coordination framework that feeds graph-theoretic intelligence from botnet researchers to the carriers who have the BGP-level authority to act on it. A formalized threat-sharing pipeline between organizations conducting botnet topology analysis (CISA, Shadowserver, Black Lotus Labs) and ISP security operations centers could make carrier-level null-routing of identified articulation-point IPs an operational reality within existing legal and technical frameworks.
Vendor firmware-level remediation. The KV-botnet demonstrated that end-of-life Cisco and Netgear routers formed the structural backbone of a state-sponsored proxy network, and the operators at no point lost the ability to push updates to those devices. The KadNap botnet, identified in August 2025 and documented at over 14,000 compromised ASUS routers by March 2026, reinforces the same pattern: edge devices with auto-update channels that the vendor controls but does not use for remediation. Router vendors with firmware update infrastructure have a mechanism that law enforcement lacks—the ability to push targeted remediation to specific device models without a court order, without interagency coordination, and at network speed. The operational model would be a vendor-initiated firmware push that resets peer-list state on devices identified as botnet participants, severing their overlay connections without requiring the device owner to take any action. This is not speculative capability; it is the same auto-update mechanism that vendors already use to deploy feature updates and security patches to supported devices. The question is whether vendors will extend that mechanism to end-of-life devices whose compromise they have been made aware of. The precedent so far is that they will not, but the legal and technical barriers are minimal compared to the law enforcement path.
Coordinated multi-layer simultaneous strike. The article describes infrastructure seizure as a follow-on action after graph-level partitioning. In practice, the rebuild window for a competent operator is measured in hours. The deeper operational model is full simultaneity across layers: graph-level AP poisoning, DNS sinkholing of the operator's known fallback domains, BGP RTBH null-routing of identified AP node IPs at the carrier level, and VPS infrastructure seizure—all triggered within the same operational window. Each layer addresses a different aspect of the operator's recovery path. Graph poisoning fragments the overlay topology. DNS sinkholing blocks domain-based fallback C2 resolution. BGP null-routing prevents the AP nodes from re-establishing network-layer connectivity even if the overlay poisoning is circumvented. VPS seizure removes the backend compute infrastructure the operator needs to coordinate reconstruction. No single layer is sufficient against a state-level adversary with pre-positioned redundancy. Executed simultaneously, they force the operator to solve four independent recovery problems at once, each on a different timeline and requiring different resources. The coordination overhead is the binding constraint—but it is an organizational problem, not a technical one.
Proxy marketplace supply chain constriction. Modern botnets increasingly exist not as standalone criminal tools but as supply infrastructure for commercial proxy-as-a-service marketplaces. The KadNap botnet feeds the Doppelgänger proxy service (assessed as a rebrand of the earlier Faceless service); the Aisuru/Kimwolf botnet powers residential proxy services marketed to customers who may not know or care about the source of the proxied bandwidth. Disrupting the botnet's overlay graph is necessary but insufficient when the economic incentive to rebuild is sustained by a functioning marketplace. Targeting the marketplace layer—takedown of proxy service domains, seizure of payment processing accounts, and prosecution of marketplace operators—raises the economic cost of botnet recruitment in a way that graph-level disruption alone cannot. Operation Endgame's seizure of cryptocurrency during its enforcement actions represents a nascent version of this approach, but the proxy marketplace layer has not yet been systematically targeted as part of a coordinated botnet takedown. Constricting the supply chain that converts compromised devices into revenue is what makes graph-level disruption permanent rather than temporary.
Why Operators Haven't Adopted Articulation-Point Poisoning
Given that the theory is well established, the algorithms are efficient, and the research validations are solid, the obvious question is why no documented operational takedown has explicitly used articulation-point analysis during the poisoning phase. Several converging factors explain the gap.
The first is the enumeration problem. Tarjan's algorithm requires a connected graph as input. Botnet crawlers operating under time pressure and against anti-crawling defenses will never map the full graph. Botnets like DUSTBot were explicitly designed with peer list exchange algorithms resistant to routing table poisoning and crawling. Some botnets authenticate peer lists cryptographically or rotate them on short timescales, deliberately preventing a stable graph from being reconstructed. An incomplete graph may have apparent articulation points that are artifacts of the mapping gap rather than genuine structural chokepoints. Injecting sinkhole traffic at a false articulation point wastes resources and alerts operators to the crawl without delivering a partition.
There is a second dimension to the enumeration problem that the literature addresses less directly: crawling a live botnet is not a passive observation. The act of crawling modifies the graph. When a crawler connects to an infected host and requests its peer list, that host records the crawler's address as a new peer. If the crawler is operating at the frequency needed to map a large overlay accurately, it is also injecting connections into the graph at every node it visits. A botnet monitoring system that detects an unusual surge of inbound peer requests from previously unseen addresses may flag the crawl to operators before it is complete. Several botnet families have implemented crawler-detection heuristics specifically because they were being mapped: Sality's peer list exchange protocol incorporated a degree-limiting mechanism that slowed the rate at which any single new peer could accumulate connections, directly impeding the kind of high-frequency crawling needed to derive a topologically accurate snapshot. Getting the data required to run Tarjan can itself burn the operation.
The second factor is the legal and coordination framework. Law enforcement takedown operations require court authorization, coordination across multiple jurisdictions, and defined operational windows. The time from network mapping to execution may be weeks or months. In that window, the articulation points identified during crawling may have shifted due to churn, new infections, or operator-side restructuring. A static articulation-point map computed at time T may be topologically stale by time T plus 60 days. The KV-botnet case is instructive: Black Lotus Labs tracked the botnet for months before the FBI executed the disruption warrant, and even within the disruption window the operators were actively restructuring within two days.
The third factor is the design of modern P2P botnet topologies. Operators have learned. ZeroAccess, Gameover Zeus, and Sality were each designed with high-connectivity peer lists specifically to resist targeted node removal. Gameover Zeus, described in an analysis by Andriesse, Rossow, Stone-Gross, Plohmann, and Bos as "highly resilient," maintained structured overlay topologies where each bot maintained connections to a fixed-size peer list drawn from a large address space, producing near-random topologies with few true articulation points. When a botnet operator constructs the peer graph to be biconnected by design—no articulation points exist—Tarjan's algorithm reports an empty set and the strategy has nothing to target.
The fourth factor is that operational poisoning has focused on winning the command propagation race rather than winning the topological partition. In botnets where commands are authenticated by the operator's signing key but peer list updates are not, defenders can flood peer lists with sinkhole addresses faster than the operator can refresh them with legitimate addresses. This race condition does not require topology analysis; it requires volume and speed. The Dridex and Hlux operations succeeded primarily on this basis. Articulation-point poisoning would add a targeting layer on top of the volume strategy—spending more sinkhole injection budget on topologically critical nodes—but the volume strategy alone has been sufficient against botnets with unauthenticated peer lists.
The fifth and perhaps most significant factor is that state-level adversaries like Volt Typhoon build proxy networks with operational redundancy built in from the start. The KV-botnet's resilience was not purely topological. Its operators had pre-positioned fallback infrastructure at commercial VPS providers—including Digital Ocean, Quadranet, and Vultr—and had embedded bridge nodes in geographically distributed locations, including a VPN device in New Caledonia serving as a covert relay between Asia-Pacific and American network segments. This provided topological redundancy independently of peer list management. Even a perfect articulation-point partition of the peer graph would not eliminate a botnet whose operators have out-of-band C2 channels and pre-staged replacement infrastructure.
A sixth factor, specific to the current threat landscape, is that the KV-botnet architecture was itself split into two functionally distinct clusters. Lumen's analysis identified a KV cluster, used for manual high-value operations against specific targets, and a JDY cluster, used for broader scanning and propagation. The FBI disruption warrant targeted the KV cluster. The JDY cluster fell silent for approximately fifteen days following public disclosure, then resumed. This cluster-level redundancy means that even topologically successful disruption of one graph component leaves a parallel infrastructure operational. Articulation-point analysis applied to one cluster's graph tells the defender nothing about the topology of the parallel cluster it did not crawl.
A seventh factor rarely acknowledged is the question of who can legally act on articulation-point intelligence when it is available. Law enforcement requires court authorization that takes time. But ISPs, internet exchange operators, and router vendors sit in a structurally different position. A carrier that hosts the IP range containing a node identified as an articulation point in a botnet graph can null-route that address, push a firmware notification to the device, or contact the subscriber — without any of the interagency coordination that slows law enforcement timelines. CISA's Known Exploited Vulnerabilities catalog and the joint advisories targeting Volt Typhoon were explicitly addressed to network defenders, not prosecutors, for exactly this reason. The theoretical question of whether a non-law-enforcement actor could perform articulation-point-informed disruption of a botnet operating across infrastructure they control has no clean legal answer, but it is a more tractable operational question than waiting for a court warrant to mature. Router vendors like Cisco and Netgear, whose end-of-life devices formed the backbone of the KV-botnet, had the technical ability to push disruption signals directly to affected devices. None did.
What the Operation Would Actually Look Like
The article has, so far, argued the theory and catalogued the barriers. The question that follows naturally — and that the literature largely sidesteps — is what articulation-point poisoning would look like as a concrete operational sequence if those barriers were managed. A hypothetical operation built on this approach would have roughly five phases, each with distinct technical requirements and failure modes. Step through them below.
Phase 01 Sustained Covert Crawling
Rather than the high-intensity crawl that precedes a traditional sinkhole operation, articulation-point targeting requires extended observation at a low crawl rate — ideally over weeks or months — to derive a topologically stable snapshot. The goal is not enumeration completeness in a single pass but longitudinal consistency: identifying which nodes remain present across multiple snapshots and which edges persist across churn cycles.
A node that appears in every snapshot taken over thirty days and always occupies the same structural position in the overlay is a genuine chokepoint. A node that appears once and vanishes is noise. The Strobo-Crawler methodology, with its focus on temporal graph accuracy rather than instantaneous coverage, is the right model for this phase.
High crawl rates trigger anti-crawling heuristics in families like Sality. Degree-limiting peer exchange mechanisms will slow your coverage and may alert operators that a crawl is underway before your graph is complete enough to run Tarjan.
Phase 02 Topology Computation and Target Selection
Once a sufficiently stable multi-snapshot graph is available, Tarjan's algorithm runs on the intersection graph — the subgraph composed only of edges and nodes that have persisted across a defined stability window. The output is a ranked list of articulation points sorted by the size differential they produce.
A cut vertex whose removal splits a 1,400-node network into two components of 900 and 500 is a higher-priority target than one that splits it into 1,395 and 5. Bridges — single edges whose removal partitions the graph — are identified in the same pass. This phase is computationally trivial once the input graph exists. The algorithm runs in O(V + E) — linear time.
Incomplete graph coverage produces false articulation points that are artifacts of mapping gaps rather than genuine structural chokepoints. Injecting at a false cut vertex wastes resources without delivering a partition and may signal your topology-analysis activity to the operator.
Phase 03 Simultaneous Sinkhole Injection
Flood the peer lists of all identified articulation-point nodes simultaneously with sinkhole-controlled addresses. Timing here matters more than in traditional poisoning operations. Because the defender is targeting a specific small set of nodes rather than flooding the entire peer space, the operator needs fewer surviving nodes to route around the disruption.
The injection must reach the articulation-point nodes' peer lists before the operator can push a peer list refresh. Sequential injection — hitting one cut vertex at a time — allows the operator to observe the pattern and respond. The strike must be simultaneous across all identified targets.
Botnets with cryptographically authenticated peer lists (some Gameover Zeus variants) can reject injected sinkhole entries. In these cases the injection succeeds as a denial-of-service on those nodes but does not redirect traffic — the peer list slot is simply discarded, and the partition does not occur.
Phase 04 Managing the Partition
Once articulation points are sinkholed, the network partitions into isolated subgraphs. The decay is asymmetric. The fragment still connected to the operator's signing key and C2 infrastructure will actively attempt to rebuild — it has motivation and resources. The fragments cut off from that path will degrade passively through churn: bots that reboot or get patched leave without replacements arriving, because the operator's initial access broker pipeline routes back through C2.
This asymmetry means defenders should concentrate follow-on sinkholing effort on the fragment that retains the operator's C2 pathway, not attempt to maintain equal pressure on all fragments. The isolated fragments are already dying; the connected fragment is the active threat.
Isolated fragments executing cached instructions — lateral movement, credential harvesting, exfiltration to pre-configured staging servers — remain operationally dangerous for weeks even without C2. SOHO-targeting botnets can retain 40–60% of an isolated fragment for thirty days or more. Passive decay is not a substitute for active follow-on disruption.
Phase 05 The Reconstruction Race
The operator, once they detect the partition, will attempt to bridge the separated subgraphs by establishing new connections between surviving nodes. This is topologically harder than it sounds: re-bridging requires introducing new nodes — typically freshly compromised devices — into both subgraphs simultaneously and connecting them. That process takes hours at minimum and potentially days, as the KV-botnet case demonstrated.
Defenders who understand this dynamic should use the partition window not to declare victory but to execute simultaneous infrastructure seizure against the operator's C2 backend, initial access broker relationships, and VPS hosting accounts. The partition buys time. Infrastructure seizure is what raises the cost of the next rebuild cycle.
State-level adversaries with pre-positioned fallback infrastructure — as documented in Volt Typhoon's use of Digital Ocean, Quadranet, and Vultr VPS accounts — can accelerate reconstruction significantly. The rebuild window may be 48 hours or less. Any infrastructure seizure action that requires additional court authorization after the partition will likely miss that window.
An isolated botnet subgraph cut off from its C2 path will decay through natural churn — but not immediately, and not cleanly. Bots in the fragment will continue executing whatever instructions they last received. If those instructions include lateral movement, credential harvesting, or data exfiltration to pre-configured staging servers, the fragment remains operationally dangerous even after the partition. Decay timelines vary by botnet family: botnets targeting high-uptime SOHO infrastructure may retain 40 to 60 percent of their isolated fragment for thirty days or more. Passive decay is not a substitute for active follow-on disruption of each isolated subgraph.
Key Takeaways
- The structural argument is sound. Articulation points in a P2P botnet graph are provably the minimal set of nodes whose removal partitions the network into disconnected subgraphs. Tarjan's algorithm, published in 1972 and unchanged in its fundamentals since, identifies them in linear time from any connected graph snapshot, making computation tractable even at botnet scale.
- Operational takedowns have not exploited this. The Dridex, Hlux/Kelihos, Gameover Zeus, and KV-botnet disruption operations all deployed peer list poisoning as an attrition strategy, not a topologically targeted one. The gap is not theoretical ignorance—the research has been clear since at least Rossow et al. 2013—it is a function of enumeration incompleteness, legal operation windows, and botnet design countermeasures.
- Sophisticated operators design against it. Botnets like ZeroAccess and Gameover Zeus were engineered with high connectivity and distributed peer selection that approximates biconnectivity, eliminating natural articulation points. Targeting articulation points in a well-designed P2P botnet is not an option because the operator has already removed them by construction.
- Learned sequential removal is the practical evolution. PeerRemove and similar reinforcement-learning-based methods sidestep the static articulation-point limitation by adapting the removal sequence to the evolving botnet state. Against topologies where no single node is a cut vertex, sequential removal targeting the nodes that maximize LCC fragmentation per removal step remains effective.
- The most dangerous adversaries have redundancy beyond the P2P graph. State-sponsored operators like Volt Typhoon embed out-of-band relay infrastructure and geographic diversity that makes any purely graph-theoretic disruption insufficient on its own. Articulation-point poisoning needs to be combined with simultaneous infrastructure seizure and rapid follow-on action during the rebuild window.
- Operation Endgame demonstrated what serial pressure looks like. Three seasons across 2024 and 2025 produced cumulative results—server seizures, arrests, credential recovery, and sustained disruption of initial-access ecosystems—that no single operation could achieve. The model of ongoing, intel-driven sequential disruption is exactly the operational framework that graph-theoretic targeting would need to be effective: not a one-time strike, but a campaign that revisits the same network as it rebuilds and targets newly formed chokepoints as they emerge.
- Partitioning the botnet is the beginning, not the end. Isolated subgraphs decay through churn but not quickly, and fragments cut off from the C2 path may remain operationally active for weeks executing cached instructions. The partition window must be used for simultaneous infrastructure seizure against the operator's backend — VPS accounts, initial access broker relationships, and signing key infrastructure — not treated as a conclusion. The asymmetry between the connected fragment (which will actively rebuild) and the isolated fragments (which will passively decay) should determine where defenders concentrate follow-on pressure.
The theory is ahead of the operations, but that gap is narrowing. As graph neural network-based topology inference matures and high-frequency crawling tools improve the accuracy of real-time botnet graph snapshots, the preconditions for articulation-point targeting during live operations become increasingly achievable. The legal and coordination frameworks remain the binding constraint — but that constraint does not apply equally to all actors. ISPs, exchange operators, and the router vendors whose hardware forms the physical layer of state-sponsored proxy botnets have technical reach and legal standing that law enforcement does not. The question for the next generation of takedown operations is not only whether graph-theoretic targeting is possible, but who executes it and under what authority. The KV-botnet operators responded within forty-eight hours of the December 2023 warrant execution. The router vendors whose end-of-life devices made that botnet possible had the ability to act earlier, faster, and without a court order. They did not. Articulation-point poisoning buys time. It does not guarantee elimination. What the defender does with that fractured window—and how quickly they can coordinate across the full range of actors who have standing to act—is what determines whether the disruption holds.