U.S. and Canadian authorities have arrested a 23-year-old Ottawa man accused of running KimWolf, a massive distributed denial-of-service botnet-for-hire that hijacked more than a million internet-connected devices worldwide. A criminal complaint unsealed in the District of Alaska charges Jacob Butler, also known online as “Dort,” with aiding and abetting computer intrusion in connection with the development and operation of the KimWolf DDoS Internet of Things botnet, the U.S. Department of Justice said in a statement announcing the arrest. Butler was taken into custody in Ottawa pursuant to an extradition warrant and faces up to 10 years in prison if convicted.
KimWolf emerged in late 2025 as one of the most aggressive DDoS botnets yet seen, conscripting primarily Android-based TVs, set-top boxes and tablets, especially low-cost TV boxes deployed on home networks. Researchers at QiAnXin XLab estimated the botnet had infected roughly 1.8 million devices and issued some 1.7 billion DDoS commands in just three days in November 2025, with one of its command-and-control domains briefly topping Cloudflare’s list of most-targeted domains, even surpassing Google traffic, according to an analysis reported by The Hacker News. U.S. officials say KimWolf operated as a DDoS-for-hire service and was used to launch more than 25,000 attacks, causing network outages, operational disruptions and financial losses totaling millions of dollars, CyberScoop reported.
Investigators and security researchers assess KimWolf as closely linked to, and likely a variant of, the Aisuru botnet, which has been blamed for record-breaking DDoS attacks over the past year. To build KimWolf, its operators are believed to have reused portions of Aisuru’s code base before evolving the malware to better evade detection, according to QiAnXin’s findings cited by researchers. The KimWolf, Aisuru, JackSkid and Mossad botnets together hijacked roughly 3 million devices and collectively carried out more than 300,000 DDoS attacks, law enforcement officials told CyberScoop.
Authorities in the United States, Germany and Canada coordinated a disruption operation in March that seized command-and-control infrastructure tied to KimWolf and the three related botnets in what was described as one of the most significant law-enforcement takedowns of IoT-based DDoS infrastructure to date, according to incident coverage by security firm SafeState on the multi-botnet takedown. The action aimed to sever communications, prevent new infections and blunt the botnets’ capacity to launch further attacks. Yet court records cited by CyberScoop suggest the KimWolf botnet has since resumed operations, underscoring how quickly criminal operators can rebuild or reconstitute distributed infrastructure even after high-profile seizures.
From a technical standpoint, KimWolf is compiled with the Android Native Development Kit and supports 13 different DDoS attack methods across UDP, TCP and ICMP, giving its controllers flexibility to tailor volumetric floods and protocol-specific attacks against targets, researchers at QiAnXin observed in the analysis summarized by The Hacker News. Beyond denial-of-service functionality, the malware also includes proxy forwarding, reverse shell and file management capabilities, turning compromised smart TVs and TV boxes into general-purpose footholds inside residential networks. More than 96% of observed KimWolf commands were tied to proxy services rather than overt DDoS jobs, indicating that the botnet doubled as a vast residential proxy network that other criminal actors could rent to mask their activities.
The Butler case is the latest in a series of U.S. prosecutions targeting DDoS-for-hire and botnet-for-hire operators. In a separate case, federal prosecutors charged an Oregon man in 2024 with running the Rapper Bot botnet, which allegedly used tens of thousands of hacked routers and DVRs to conduct terabit-scale DDoS attacks as a paid service, according to reporting by Cybersecurity Dive. Authorities appear intent on combining infrastructure seizures with criminal charges to increase deterrence, even as the technical barrier to reconstituting IoT botnets remains low.
For defenders, the KimWolf case is a reminder that everyday consumer electronics can become high-impact attack tools at internet scale. Enterprises and service providers with exposure to large residential customer bases should continue to monitor for abnormal traffic patterns indicative of IoT botnet activity, apply strict egress filtering and anti-spoofing controls, and work with upstream partners and DDoS mitigation services to absorb or filter malicious flows. Owners of Android TV devices and low-cost TV boxes can reduce their risk of conscription by disabling unnecessary remote-access features, changing default credentials, applying firmware updates where available and segmenting media devices from critical home or office networks. U.S. authorities have also urged anyone with information about KimWolf or related DDoS threats to contact investigators via the dedicated DCIS-PowerOff@DoDIG.mil tip line referenced in the Justice Department announcement.
