Canadian authorities have arrested a 23-year-old Ottawa resident accused of helping run the Kimwolf Internet-of-Things (IoT) botnet, a sprawling network of hijacked devices that fueled record-breaking distributed denial-of-service (DDoS) attacks and harassed security researchers. According to charging documents described in court and in reporting by KrebsOnSecurity, Jacob Butler, allegedly known online as “Dort,” was taken into custody by the Ontario Provincial Police on a U.S. extradition warrant and now faces criminal hacking charges in both Canada and the United States.
A criminal complaint filed in the U.S. District Court for the District of Alaska accuses Butler of operating and profiting from the Kimwolf botnet, which prosecutors say rented access to millions of compromised devices to other cybercriminals for DDoS and related attacks. Butler is alleged to have used the “Dort” persona to advertise Kimwolf’s capabilities in underground forums and chat channels, and is charged in the United States with aiding and abetting computer intrusion, a felony that carries a maximum sentence of up to 10 years in prison if he is extradited, tried and convicted. Separately, Canadian authorities have charged him with offenses including unauthorized use of a computer, possession of devices for committing computer mischief, and mischief in relation to computer data; he remains in custody pending an initial hearing.
Kimwolf emerged in 2025 as one of the most powerful DDoS botnets on record. Researchers at XLab, cited by SecurityAffairs, estimate that the Android-focused malware infected more than 1.8 million devices worldwide and issued over 1.7 billion DDoS commands, with attack capacity approaching 30 Tbps. By March 2026, U.S. authorities said the broader criminal ecosystem around Kimwolf and three related IoT botnets—Aisuru, JackSkid and Mossad—had collectively hijacked more than three million devices and launched hundreds of thousands of DDoS attacks, according to a coordinated disruption operation announced by the U.S. Justice Department and Defense Criminal Investigative Service (DCIS) in Alaska and detailed in a DOJ press release here.
The botnets’ operators allegedly focused on embedded devices that are often poorly monitored and difficult to patch, such as digital photo frames, consumer webcams and other IoT hardware that many organizations assume are safely tucked behind firewalls. U.S. authorities say the compromised systems were used to launch “record-breaking” DDoS attacks and to strike internet address ranges associated with the U.S. Department of Defense, spurring DCIS and the FBI’s Anchorage field office to take lead roles in the investigation, as outlined in the March disruption announcement and related coverage by CyberScoop and Cybersecurity Dive. In some cases, victims reportedly suffered losses exceeding $1 million from downtime, mitigation costs and follow-on extortion demands.
Beyond volumetric attacks, investigators and independent researchers say Kimwolf’s administrators used the botnet’s reach to retaliate against those who tracked their activities. KrebsOnSecurity has reported that “Dort” orchestrated DDoS, doxing, email flooding and at least two swatting incidents targeting a security researcher and the founder of Synthient, a security startup that helped identify and close a critical vulnerability Kimwolf was exploiting to spread quickly across exposed devices. According to a criminal complaint summarized in that reporting, investigators tied Butler to the Kimwolf infrastructure through IP address data, online account records, payment transaction histories and chat logs obtained via legal process, suggesting he did little to separate his real-world identity from his online handle.
For defenders, Butler’s arrest and the March infrastructure takedown do not eliminate the Kimwolf problem but may blunt its immediate threat. Even with command-and-control servers seized, many infected IoT and Android devices are likely still compromised and could be folded into successor botnets or repurposed by other actors. Enterprises are being urged by law enforcement and security researchers to inventory and segment IoT equipment, ensure firmware and mobile operating systems are up to date, disable unnecessary remote access, and monitor for anomalous outbound traffic patterns that could indicate participation in DDoS campaigns. Authorities in the United States have asked organizations with information about related threats to contact DCIS investigators at the address published in the DOJ’s Alaska botnet disruption notice.
