Suspected KimWolf botnet admin arrested over DDoS-for-hire operation
U.S. and Canadian authorities arrested and charged a Canadian man accused of operating the KimWolf DDoS botnet, a service linked to attacks that infected more than one million devices worldwide.
Jacob Butler, 23, of Ottawa, Canada, also known online as “Dort,” was arrested in Canada under an extradition warrant after U.S. prosecutors charged him with offenses related to the alleged development and operation of the KimWolf botnet.
According to court documents, KimWolf targeted internet-connected devices that were typically protected from direct exposure to the wider internet, including digital photo frames and web cameras.
Once compromised, the devices became part of a botnet that operators rented out through a cybercrime-as-a-service model, giving customers access to infected systems used in DDoS attacks against targets worldwide, including Department of Defense Information Network (DoDIN) IP addresses.
“KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume. These attacks resulted in financial losses which, for some victims, exceeded one million dollars. The KimWolf botnet is alleged to have issued over 25,000 attack commands,” the Justice Department said.
Authorities linked Butler to the operation of the KimWolf botnet through IP address data, online account information, transaction records and records from messaging platforms obtained through legal process.
Independent security journalist Brian Krebs was the first to publicly identify Jacob Butler as the alleged KimWolf botmaster.
In a related action, the Central District of California unsealed seizure warrants targeting online services that supported 45 DDoS-for-hire platforms. “These seizures broadly disrupted the DDoS platforms, including at least one that collaborated with Butler’s KimWolf botnet,” prosecutors noted.
Butler’s arrest follows an international law enforcement operation in March 2026 that disrupted infrastructure linked to the Aisuru, KimWolf, JackSkid and Mossad botnets. The four botnets targeted in the operation infected millions of devices worldwide, primarily IoT systems such as digital video recorders, web cameras and WiFi routers.
Butler faces one count of aiding and abetting computer intrusion and could receive up to 10 years in prison if convicted.