top of page

Kimwolf Botmaster 'Dort' Arrested and Charged in U.S. and Canada

  • May 22
  • 3 min read

Key Findings


  • 23-year-old Jacob Butler of Ottawa arrested Wednesday on suspicion of operating Kimwolf, a massive IoT botnet that infected millions of devices

  • Kimwolf launched over 25,000 DDoS attacks measuring up to 30 terabits per second, the highest recorded volume, causing financial losses exceeding $1 million for some victims

  • Butler faces charges in both the United States and Canada, with potential 10-year prison sentence if extradited and convicted in U.S. court

  • March 2026 coordinated international operation seized infrastructure for Kimwolf and three competing botnets, disabling over 300,000 collective attacks

  • Butler made significant operational security mistakes, using the same IP addresses and device cookies across personal and criminal accounts, enabling investigators to connect his real identity to the Dort alias


Background


The Kimwolf botnet operated primarily as a DDoS-for-hire service that targeted Internet-of-Things devices traditionally firewalled from the broader internet, such as digital photo frames and web cameras. Once infected, these devices were either rented to other cybercriminals or forced into participating in massive coordinated attacks. The botnet was particularly effective at spreading, eventually compromising over 2 million Android TV devices after operators figured out how to abuse residential-proxy networks for local control.


The Record-Breaking Attack Scale


Kimwolf distinguished itself through the sheer volume of its attacks. At peak capacity, the botnet generated DDoS traffic measuring nearly 30 terabits per second—a record in documented DDoS attack volume. Over a six-month operational period, the botnet issued more than 25,000 attack commands targeting various victims, with financial impacts that in some cases exceeded $1 million per target. Notably, Department of Defense networks were among the victims, prompting involvement from the Defense Criminal Investigative Service in the investigation.


Public Unmasking and Continued Harassment


Security researcher Brian Krebs publicly identified Butler as the Kimwolf botmaster in February 2026 after analyzing his email addresses, cybercrime forum registrations, and posts on public Telegram and Discord servers. Rather than ceasing operations, Butler escalated his harassment campaign against researchers who had exposed him. He claimed responsibility for at least two swatting attacks targeting Ben Brundage, founder of Synthient, a security startup that had identified and helped patch a critical vulnerability Kimwolf was exploiting for rapid spread. This aggressive response ultimately drew increased law enforcement attention to his activities.


Investigative Breakthrough and Operational Security Failures


Investigators connected Butler to Kimwolf through overlapping IP addresses, online account information, transaction records, and messaging application data obtained through legal process. The criminal complaint reveals Butler made elementary mistakes in separating his real-life and cybercriminal identities. He repeatedly used the same IP address to access multiple email accounts registered under his true name alongside Discord accounts linked to Kimwolf operations. While he attempted to use proxy and VPN addresses to evade detection, investigators noted he did not use these tools consistently, creating a traceable pattern that proved his undoing.


International Takedown Operation


On March 19, U.S. authorities joined international law enforcement partners in seizing technical infrastructure powering Kimwolf and three competing botnets—Aisuru, JackSkid, and Mossad—all competing for control of the same vulnerable device pools. The combined operation disabled over 300,000 attacks and took offline infrastructure supporting three million compromised devices. During this operation, Canadian authorities executed a search warrant at Butler's Ottawa residence and seized multiple devices, though they did not arrest him until two months later following the unsealing of U.S. charges.


Current Status and Ongoing Concerns


Butler remains in Canadian custody awaiting an initial court hearing scheduled for May 26. He faces charges in Canada for unauthorized computer use, possession of devices to obtain unauthorized system access, and computer mischief. In the United States, he is charged with aiding and abetting computer intrusion, with potential sentencing up to 10 years if extradited and convicted, though actual sentencing would likely be reduced by mitigating factors including his age, lack of prior criminal history, and potential cooperation with investigators.


Despite the March takedown, court records indicate the Kimwolf botnet has resumed operations, suggesting that while individual operators may be captured, the underlying vulnerability of hundreds of millions of poorly secured IoT devices continues to fuel the botnet ecosystem. Security experts note that until fundamental solutions address the proliferation of insecure IoT devices connected to sensitive networks, law enforcement will continue playing what amounts to a perpetual game of whack-a-mole against emerging botnet variants.


Sources


  • https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/

  • https://cyberscoop.com/kimwolf-botnet-alleged-administrator-jacob-butler-arrested-canada/

  • https://www.linkedin.com/posts/the-cyber-security-hub_alleged-kimwolf-botmaster-dort-arrested-activity-7463347554878017537-yKul

  • https://malware.news/t/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/107219

  • https://app.daily.dev/posts/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada-krebs-on-security-hb9fzfcgo

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page