KimWolf DDos Botnet Operator Arrested and Charged
A Canadian man, Jacob Butler, was arrested in Ottawa on Wednesday on charges of operating the KimWolf DDos botnet, one of the largest and most damaging distributed denial-of-service (DDoS) platforms in the world. Butler, 23, was initially identified by cybersecurity journalist Brian Krebs in February and denied being behind the online persona known as “Dort” that ran KimWolf.
In court documents unsealed on Thursday, the Justice Department said Butler ran KimWolf as a DDoS-for-hire service that infected over a million devices worldwide. The complaint was filed on April 10 and was sealed pending his arrest. Butler was charged with one count of aiding and abetting computer intrusion and is facing up to 10 years in prison if convicted.
KimWolf Botnet Operations
The KimWolf botnet was made up of devices that were typically behind firewalls, including digital photo frames and web cameras. The operators then sold access to the devices to cybercriminals, who used them for a variety of purposes including launching DDoS attacks on businesses. In at least one instance, a DDoS attack targeted IP addresses owned by the Department of Defense.
Prosecutors said that KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume. These attacks resulted in financial losses which, for some victims, exceeded one million dollars. The KimWolf botnet is alleged to have issued over 25,000 attack commands.
Investigation and Takedown
KimWolf was taken down in March as part of a larger international law enforcement operation involving officials in the U.S., Canada, Germany as well as several cybersecurity companies. Law enforcement seized infrastructure used by KimWolf and several other botnets including Aisuru, JackSkid and Mossad.
The Justice Department said it also unsealed seizure warrants targeting other services that supported another 45 DDoS-for-hire platforms, including at least one that worked with KimWolf. DDoS mitigation firms like Cloudflare warned for years about KimWolf, writing in recent months that the botnet had thousands of devices at its disposal and could launch DDoS attacks that could “cripple critical infrastructure, crash most legacy cloud-based DDoS protection solutions, and even disrupt the connectivity of entire nations.”
Collaboration and Malware Analysis
In a blog post, Amazon vice president Tom Scholl said the company helped the FBI and Defense Department identify the botnet's command-and-control infrastructure and reverse engineered the malware to understand its operations. Scholl said Kimwolf was a novel botnet because it targeted residential proxy networks, infiltrating home networks through compromised devices — including streaming TV boxes and other IoT devices.
The DOJ previously said victims of the DDoS attacks lost hundreds of thousands of dollars through remediation expenses or ransom demands from hackers who would only stop overloading websites for a price. Court documents said Butler was linked to the administration of the KimWolf botnet through his IP address, account information, transactions, online messages and more.
- The KimWolf botnet infected over a million devices worldwide.
- The botnet was used to launch DDoS attacks on businesses, including a attack on IP addresses owned by the Department of Defense.
- The attacks resulted in financial losses exceeding one million dollars for some victims.
- The KimWolf botnet is alleged to have issued over 25,000 attack commands.
The arrest of Jacob Butler and the takedown of the KimWolf botnet is a significant victory for law enforcement agencies and cybersecurity companies in their efforts to combat cybercrime and protect critical infrastructure.
Source: The Record