Canadian Administrator Arrested Following KimWolf DDoS Botnet Takedown
Published
Key Takeaways
- Suspected KimWolf admin: Police arrested an individual using the alias Dort in connection with the development and operation of the KimWolf DDoS-for-hire service.
- Extradition arrest executed: Canadian authorities apprehended 23-year-old Jacob Butler in Ottawa on May 20.
- Botnet infrastructure seized: Global law enforcement previously disabled the KimWolf botnet command-and-control servers.
A criminal complaint unsealed in the District of Alaska has charged Jacob Butler, a 23-year-old resident of Ottawa, Canada, known online as "Dort," with operating the KimWolf Distributed Denial of Service (DDoS) Internet of Things (IoT) botnet. Pursuant to an extradition warrant, Canadian authorities arrested Butler in Ottawa on May 20.
Massive IoT Device Exploitation
Documents say law enforcement connected Butler to the administration of the KimWolf botnet through IP address, online account information, transaction records, and online messaging application records.
Dort claimed responsibility for at least two swatting attacks targeting the founder of security startup Synthient, which helped secure a widespread critical security weakness that Kimwolf was using, KrebsOnSecurity has said.
According to the unsealed complaint, KimWolf operated as a sophisticated DDoS-for-hire service that infected over a million devices worldwide, including inherently vulnerable endpoints such as digital photo frames and web cameras.
The botnet established a formidable global footprint, with infected hardware located as far as Alaska, the document says. Operating under a cybercrime-as-a-service model, the infrastructure allegedly issued over 25,000 attack commands, launching record-breaking DDoS attacks and inflicting financial damages exceeding $1 million for several enterprise victims.
Seizure warrants targeting online services supporting 45 DDoS-for-hire platforms were also unsealed. “These seizures broadly disrupted the DDoS platforms, including at least one that collaborated with Butler’s KimWolf botnet,” the document said.
Multinational Infrastructure Takedown
This arrest follows a coordinated March 2026 operation in which U.S. authorities and international partners seized the command-and-control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid, and Mossad IoT botnets.
Butler is formally charged with one count of aiding and abetting computer intrusion. If convicted of this federal offense, the individual faces a maximum statutory penalty of up to 10 years in prison.
An April Europol DDoS crackdown dismantled over 50 domains and secured four arrests, targeting 75,000 criminals worldwide.
KrebsOnSecurity revealed in a January report that a source in Brazil told Krebs one of at least two individuals currently in control of the Aisuru/Kimwolf botnet goes by the Dort alias and may be a resident of Canada, and the other allegedly goes by the nickname Snow.
In November 2025, a new Mirai variant, ShadowV2, was observed targeting vulnerable IoT devices to create a botnet for DDoS attacks.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular