Kimwolf Botmaster 'Dort' Arrested and Charged in U.S. and Canada
- May 22
- 3 min read
Key Findings
23-year-old Jacob Butler of Ottawa arrested Wednesday on suspicion of operating Kimwolf, a massive IoT botnet that infected millions of devices
Kimwolf launched over 25,000 DDoS attacks measuring up to 30 terabits per second, the highest recorded volume, causing financial losses exceeding $1 million for some victims
Butler faces charges in both the United States and Canada, with potential 10-year prison sentence if extradited and convicted in U.S. court
March 2026 coordinated international operation seized infrastructure for Kimwolf and three competing botnets, disabling over 300,000 collective attacks
Butler made significant operational security mistakes, using the same IP addresses and device cookies across personal and criminal accounts, enabling investigators to connect his real identity to the Dort alias
Background
The Kimwolf botnet operated primarily as a DDoS-for-hire service that targeted Internet-of-Things devices traditionally firewalled from the broader internet, such as digital photo frames and web cameras. Once infected, these devices were either rented to other cybercriminals or forced into participating in massive coordinated attacks. The botnet was particularly effective at spreading, eventually compromising over 2 million Android TV devices after operators figured out how to abuse residential-proxy networks for local control.
The Record-Breaking Attack Scale
Kimwolf distinguished itself through the sheer volume of its attacks. At peak capacity, the botnet generated DDoS traffic measuring nearly 30 terabits per second—a record in documented DDoS attack volume. Over a six-month operational period, the botnet issued more than 25,000 attack commands targeting various victims, with financial impacts that in some cases exceeded $1 million per target. Notably, Department of Defense networks were among the victims, prompting involvement from the Defense Criminal Investigative Service in the investigation.
Public Unmasking and Continued Harassment
Security researcher Brian Krebs publicly identified Butler as the Kimwolf botmaster in February 2026 after analyzing his email addresses, cybercrime forum registrations, and posts on public Telegram and Discord servers. Rather than ceasing operations, Butler escalated his harassment campaign against researchers who had exposed him. He claimed responsibility for at least two swatting attacks targeting Ben Brundage, founder of Synthient, a security startup that had identified and helped patch a critical vulnerability Kimwolf was exploiting for rapid spread. This aggressive response ultimately drew increased law enforcement attention to his activities.
Investigative Breakthrough and Operational Security Failures
Investigators connected Butler to Kimwolf through overlapping IP addresses, online account information, transaction records, and messaging application data obtained through legal process. The criminal complaint reveals Butler made elementary mistakes in separating his real-life and cybercriminal identities. He repeatedly used the same IP address to access multiple email accounts registered under his true name alongside Discord accounts linked to Kimwolf operations. While he attempted to use proxy and VPN addresses to evade detection, investigators noted he did not use these tools consistently, creating a traceable pattern that proved his undoing.
International Takedown Operation
On March 19, U.S. authorities joined international law enforcement partners in seizing technical infrastructure powering Kimwolf and three competing botnets—Aisuru, JackSkid, and Mossad—all competing for control of the same vulnerable device pools. The combined operation disabled over 300,000 attacks and took offline infrastructure supporting three million compromised devices. During this operation, Canadian authorities executed a search warrant at Butler's Ottawa residence and seized multiple devices, though they did not arrest him until two months later following the unsealing of U.S. charges.
Current Status and Ongoing Concerns
Butler remains in Canadian custody awaiting an initial court hearing scheduled for May 26. He faces charges in Canada for unauthorized computer use, possession of devices to obtain unauthorized system access, and computer mischief. In the United States, he is charged with aiding and abetting computer intrusion, with potential sentencing up to 10 years if extradited and convicted, though actual sentencing would likely be reduced by mitigating factors including his age, lack of prior criminal history, and potential cooperation with investigators.
Despite the March takedown, court records indicate the Kimwolf botnet has resumed operations, suggesting that while individual operators may be captured, the underlying vulnerability of hundreds of millions of poorly secured IoT devices continues to fuel the botnet ecosystem. Security experts note that until fundamental solutions address the proliferation of insecure IoT devices connected to sensitive networks, law enforcement will continue playing what amounts to a perpetual game of whack-a-mole against emerging botnet variants.
Sources
https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/
https://cyberscoop.com/kimwolf-botnet-alleged-administrator-jacob-butler-arrested-canada/
https://www.linkedin.com/posts/the-cyber-security-hub_alleged-kimwolf-botmaster-dort-arrested-activity-7463347554878017537-yKul
https://malware.news/t/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/107219
https://app.daily.dev/posts/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada-krebs-on-security-hb9fzfcgo

Comments