US and Canadian authorities have arrested and charged a Canadian man, Jacob Butler, also known online as 'Dort', with operating the KimWolf distributed denial-of-service (DDoS) botnet. The botnet infected nearly 2 million devices worldwide, including digital photo frames, web cameras, Android-based TV boxes, and streaming devices.
Background and Charges
Butler, 23, was arrested by Canadian authorities in Ottawa on Wednesday pursuant to an extradition warrant. He was taken into custody based on IP address and online account information, transaction records, and online messaging records that exposed his links to the KimWolf botnet.
According to a criminal complaint unsealed on Thursday in the District of Alaska, Butler is facing one count of aiding and abetting computer intrusions, which carries a maximum sentence of 10 years in prison. He now awaits extradition to the US.
KimWolf Botnet Operations
The KimWolf botnet operated as a DDoS-for-hire service, allowing cybercriminals to launch attacks reaching nearly 30 terabits per second, the largest DDoS attack publicly disclosed at the time. Using a cybercrime-as-a-service model, Butler sold access to a massive network of compromised enslaved systems.
The botnet was used in more than 25,000 attacks targeting computers and servers worldwide, including Department of Defense Information Network IP addresses, and caused financial losses exceeding $1 million for some victims.
Research and Tracking
Researchers at cybersecurity firm Synthient, who have been tracking KimWolf's rapid expansion, noted in January that KimWolf grew to almost 2 million after compromising Android devices in attacks exploiting vulnerabilities in residential proxy networks. The botnet generated approximately 12 million unique IP addresses each week.
Seizure Warrants and Disruption
Separately, the Central District of California unsealed seizure warrants targeting 45 DDoS-for-hire platforms, which disrupted multiple DDoS platforms, including at least one that collaborated with the KimWolf botnet. US authorities also seized domain records associated with many of these services, redirecting them to an authorized 'splash page', which displays a warning to potential visitors that DDoS services are illegal.
Butler's arrest follows a March 2026 international operation in which US, German, and Canadian authorities seized command-and-control infrastructure used by KimWolf and three related botnets (Aisuru, JackSkid, and Mossad), which collectively infected over 3 million IoT devices.
International Cooperation and Impact
The US Justice Department said that the four botnets collectively infected more than 3 million IoT devices, including web cameras, digital video recorders, and Wi-Fi routers, many of them in the United States. The arrest and disruption of the KimWolf botnet demonstrate the importance of international cooperation in combating cybercrime.
The KimWolf botnet's impact was significant, with financial losses exceeding $1 million for some victims. The botnet's ability to launch massive DDoS attacks made it a formidable tool for cybercriminals, and its disruption is a major victory for law enforcement and cybersecurity professionals.
Conclusion
The arrest and charging of Jacob Butler, the suspected admin of the KimWolf botnet, marks a significant milestone in the fight against cybercrime. The KimWolf botnet's operations and impact demonstrate the need for continued international cooperation and vigilance in combating cyber threats.
As the cybersecurity landscape continues to evolve, it is essential to stay informed about the latest threats and trends. By understanding the tactics and techniques used by cybercriminals, we can better protect ourselves and our organizations from these types of threats.
Source: BleepingComputer