Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada
Canadian authorities arrested 23-year-old Jacob Butler, alias 'Dort,' for operating the Kimwolf IoT botnet that launched record-breaking DDoS attacks of nearly 30 Tbps.
Canadian authorities on Wednesday arrested 23-year-old Jacob Butler, known online as 'Dort,' on charges of building and operating the Kimwolf Internet-of-Things (IoT) botnet. The botnet enslaved millions of unsecured devices—including digital photo frames and web cameras—to launch some of the largest distributed denial-of-service (DDoS) attacks ever recorded, peaking at nearly 30 terabits per second. Butler faces criminal hacking charges in both Canada and the United States, and is currently in Canadian custody awaiting an extradition hearing.
The arrest follows a months-long investigation by the FBI, the Defense Criminal Investigative Service, and the Ontario Provincial Police. A criminal complaint unsealed in an Alaska district court charges Butler with one count of aiding and abetting computer intrusion. According to the Department of Justice, the Kimwolf botnet issued over 25,000 attack commands, causing financial losses exceeding $1 million for some victims. The attacks also targeted Internet address ranges belonging to the U.S. Department of Defense, drawing federal attention to the case.
Kimwolf spread by exploiting a critical security weakness in IoT devices that were traditionally firewalled from the rest of the internet. The botnet competed with three other large DDoS botnets—Aisuru, JackSkid, and Mossad—for the same pool of vulnerable devices. On March 19, U.S. and international law enforcement partners seized the technical infrastructure for all four botnets in a coordinated operation. The DOJ also seized domain names tied to nearly four-dozen DDoS-for-hire services, at least one of which collaborated with Kimwolf.
Butler's arrest is the culmination of a public unmasking by KrebsOnSecurity in February 2026, after he launched a series of DDoS, doxing, and swatting attacks against the publication's author and security researcher Ben Brundage, founder of Synthient. Synthient had helped secure the vulnerability that Kimwolf exploited to spread rapidly. The criminal complaint details how Butler ordered a swatting attack against Brundage, who told KrebsOnSecurity he is relieved Butler is in custody. "Hopefully this will end the harassment," Brundage said.
Investigators connected Butler to the Kimwolf botnet through IP addresses, online account information, transaction records, and messaging application records obtained through legal process. The complaint shows Butler did little to separate his real-life and cybercriminal identities. A search warrant executed at his Ottawa address on March 19 led to the seizure of multiple devices. Butler is charged in Canada with unauthorized use of a computer, possession of a device to obtain unauthorized use of a computer system, and mischief in relation to computer data. He is scheduled to remain in custody until a hearing on May 26.
If extradited, tried, and convicted in the U.S., Butler faces up to 10 years in prison, though the sentence could be tempered by mitigating factors such as his youth, lack of criminal history, and level of cooperation. The case highlights the growing threat of IoT botnets and the ability of law enforcement to track down and prosecute their operators, even when they operate across international borders. The coordinated takedown of multiple botnets also signals a more aggressive stance by authorities against DDoS-for-hire services and the cybercriminals who enable them.
The U.S. Justice Department unsealed charges against Butler on Thursday, revealing he faces up to 10 years in prison for aiding and abetting computer intrusions. Court documents show that Kimwolf, which infected over 2 million Android TV devices and launched more than 25,000 attacks, may already be back in operation despite the March takedown of its infrastructure. Investigators linked Butler to the botnet through overlapping IP addresses used across his personal Google accounts and Discord accounts tied to Kimwolf, noting that his operational security lapses ultimately led to his identification.
The U.S. Department of Justice unsealed additional details, revealing that Butler's KimWolf botnet was used in over 25,000 attacks, including against Department of Defense IP addresses, and caused financial losses exceeding $1 million for some victims. Separately, seizure warrants targeting 45 DDoS-for-hire platforms disrupted services that collaborated with KimWolf. The arrest follows a March 2026 operation that seized infrastructure for KimWolf and three related botnets, collectively infecting over 3 million IoT devices.
The U.S. Department of Justice disclosed that Kimwolf targeted traditionally "firewalled" IoT devices such as digital photo frames and web cameras, enslaving them under a cybercrime-as-a-service model. Court documents link Jacob Butler to the botnet's administration via his IP address, online account records, and Discord messages from an account called resi[.]to, building on the earlier exposure by security journalist Brian Krebs. Arrest warrants were also unsealed against 45 DDoS-for-hire platforms, one of which collaborated with Kimwolf, as part of the coordinated takedown of the botnet infrastructure.
The U.S. Department of Justice revealed that KimWolf launched DDoS attacks measured at nearly 30 Terabits per second, a record volume, and issued over 25,000 attack commands, causing some victims losses exceeding one million dollars. Authorities also unsealed seizure warrants targeting 45 DDoS-for-hire platforms, including at least one that collaborated with Butler's botnet. The arrest follows a March 2026 international operation that disrupted infrastructure linked to the Aisuru, KimWolf, JackSkid, and Mossad botnets, which collectively infected millions of IoT devices worldwide.
The SecurityWeek report adds that U.S. authorities are actively seeking Butler's extradition on computer hacking charges related to the Kimwolf botnet's operation, underscoring the cross-border nature of the case. The article also notes that the arrest represents a significant law enforcement action against a named malware operation, though it does not provide additional technical details beyond what was previously reported.
The unsealed indictment reveals that Butler, 23, operated KimWolf as a DDoS-for-hire service that infected over a million devices, including digital photo frames and web cameras, and launched attacks measured at nearly 30 Tbps—a record volume. Prosecutors allege the botnet issued over 25,000 attack commands, causing financial losses exceeding $1 million for some victims, and that at least one attack targeted IP addresses owned by the Department of Defense. The Justice Department also unsealed seizure warrants targeting services supporting 45 other DDoS-for-hire platforms, highlighting the broader crackdown.
The unsealed complaint reveals that Butler, 23, operated the KimWolf botnet as a DDoS-for-hire platform that infected nearly two million IoT devices, including cameras, streaming devices, and digital photo frames. Investigators tied Butler to the operation through Discord accounts, Google records, and IP addresses assigned by Bell Canada, noting he committed "significant operational security lapses" by using the same IP address for a Gmail account opened under his real name and Discord accounts used to support the botnet. Prosecutors also allege Butler targeted a student researcher who had published information about KimWolf, subjecting the researcher to a swatting attack. Butler faces one count of aiding and abetting computer intrusion and up to 10 years in prison if convicted.