Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in US and Canada – Krebs on Security

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on construction and operation charges. Kimwolfa rapidly spreading Internet-of-Things botnet that has enslaved millions of devices for use in a series of massive denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the defendant launched DDoS, doxing and swatting campaigns against this writer and security researcher. He now faces racketeering charges in Canada and the United States.

The criminal complaint was filed today in Alaska state court Jacob Butleraka”Dort,” from Ottawa, Canada using the Kimwolf DDoS botnet. A Justice Department statement said the complaint against Butler was not closed following the defendant’s arrest in Canada. Ontario Provincial Police according to the US return warranty. Butler is currently in Canadian custody awaiting a preliminary hearing scheduled for next week.

The government said Kimwolf targeted infected devices that were “firewalled” from the rest of the Internet, such as digital picture frames and web cameras. Infected systems were then monitored by other cybercriminals, or forced to participate in record-breaking DDoS attacks, and attacks that affected a range of Internet addresses. Department of Defense. So, the DoD’s Criminal Defense Unit investigates the case, with assistance from the FBI’s Anchorage field office.

“KimWolf was involved in a DDoS attack that measured approximately 30 Terabits per second, a record DDoS attack volume,” the Justice Department’s statement read. “This attack resulted in financial losses, for some victims, in excess of $1 million. The KimWolf botnet is suspected of issuing over 25,000 attack commands.”

On March 19, US authorities joined international law enforcement partners in seizing the technical infrastructure of Kimwolf and three other major DDoS botnets – named. Aisuru, JackSkid again The Mossad – all competing for the same pool of vulnerable devices.

On February 28, KrebsOnSecurity identified Butler as the administrator of Kimwolf after digging through his various email addresses, registrations on cybercrime forums, and posts on Telegram and Discord community servers. However, Dort continued to threaten and harass researchers who helped track down his true identity and significantly slowed the spread of his botnet.

Dort said he is guilty of at least two attacks against the founder of The Synthienta security implementation that helped prevent critical widespread security weaknesses that Kimwolf used to spread faster and more efficiently than any other IoT botnet in existence. Synthient was among the many technology companies thanked by the Department of Justice today, and the founder of Synthient Ben Brundage told KrebsOnSecurity that Butler was released from custody.

“I hope this will put an end to the abuse,” said Brundage.

The government says investigators linked Butler to the management of the KimWolf botnet through IP addresses, Internet account information, transaction records, and records of Internet messaging requests obtained through subpoenas. The criminal complaint against Butler (PDF) shows that he did nothing to separate his real identity from cybercrime (something we showed in our February cover of Dort).

In April, the Department of Justice joined authorities across Europe in seizing domain names tied to nearly a dozen DDoS-for-hire services, although due to bureaucratic confusion the list of seized domains remains closed to this day. The DOJ said at least one of those services was affiliated with Butler’s Kimwolf botnet.

A statement released by the Ontario Provincial Police said a search warrant was executed on March 19 at Butler’s address in Ottawa, where they seized several items. As a result of that investigation, Butler was arrested and charged this week with unauthorized use of a computer; possession of a device to obtain unauthorized use of a computer program or to commit a crime; and mischief related to computer data. He is scheduled to be held in custody until a hearing on May 26.

In the United States, Butler faces one count of aiding and abetting computer hacking. If he is extradited, tried and convicted in a US court, Butler could be sentenced to 10 years in prison, although that maximum sentence could be greatly reduced in consideration of the US Sentencing Guidelines, which allow for mitigating factors such as youth, lack of criminal history and degree of cooperation with investigators.