Background: How Kimwolf's Exposure Triggered a Campaign of Harassment
In early January 2026, KrebsOnSecurity published an investigation into Kimwolf, widely regarded as the world's largest and most disruptive botnet. That article detailed research by Benjamin Brundage, founder of the proxy tracking service Synthient, who identified a little-known weakness in residential proxy services that the Kimwolf operators were exploiting to infect poorly defended devices — including TV boxes and digital photo frames — connected to the internal, private networks of proxy endpoints.
By the time that story was published on January 2, most of the vulnerable proxy providers had already been notified and had patched their systems. That remediation process significantly slowed Kimwolf's ability to propagate new infections. Within hours of the article going live, the person controlling Kimwolf — operating under the handle "Dort" — launched a retaliatory harassment campaign against both Brundage and this author.
A Discord Server, Doxing, and a Swatting Attack
Dort quickly created a Discord server under this reporter's name and used it to publish personal information about Brundage along with violent threats against him and others. The server, later renamed "Krebs's Koinbase Kallers," became a staging ground for further abuse. Last week, Dort and associates used the same server to threaten a swatting attack against Brundage, posting his home address and personal details.
Brundage confirmed to KrebsOnSecurity that local police officers subsequently visited his home as a result of a swatting hoax. The swat occurred around the same time that a member of the server posted a door emoji and taunted Brundage further. Dort, using the alias "Meow," also taunted Brundage with a picture of a door.
A user on the server then linked to a Soundcloud diss track recorded by the account DortDev, which carried a stickied message from Dort reading: "Ur dead nigga. u better watch ur fucking back. sleep with one eye open. bitch." Lyrics in the track included: "It's a pretty hefty penny for a new front door. If his head doesn't get blown off by SWAT officers. What's it like not having a front door?"
Who Is Dort? Following the Digital Breadcrumbs
A public dox compiled in 2020 asserted that Dort was a teenager from Canada with a date of birth of August 2003, and that the individual used the aliases "CPacket" and "M1ce." A search of the username CPacket on the open-source intelligence platform OSINT Industries surfaces a GitHub account registered under the names Dort and CPacket, created in 2017 using the email address jay.miner232@gmail.com.
Forum Registrations and a Shared IP Address
The cyber intelligence firm Intel 471 reports that jay.miner232@gmail.com was used between 2015 and 2019 to register accounts on multiple cybercrime forums, including Nulled (username "Uubuntuu") and Cracked (username "Dorted"). According to Intel 471, both accounts were created from the same internet address at Rogers Canada — specifically IP address 99.241.112.24.
From Minecraft Cheats to Serious Cybercrime
Dort was a highly active participant in Microsoft's Minecraft and gained notoriety for software called "Dortware," which helped players cheat. Over time, however, Dort's activities escalated into more serious criminal territory. The DortDev identity was active in March 2022 on the chat server used by the prolific cybercrime group LAPSUS$.
Dort also marketed two services: one for registering disposable email addresses and another called "Dortsolver," which could bypass CAPTCHA systems designed to block automated account abuse. Both offerings were advertised in 2022 on SIM Land, a Telegram channel dedicated to SIM-swapping and account takeover activity.
A Business Partnership Worth $250,000 in Stolen Accounts
The cyber intelligence firm Flashpoint indexed 2022 posts on SIM Land by Dort, revealing that the disposable email and CAPTCHA bypass services were developed in collaboration with a hacker who used the handle "Qoft." In a 2022 conversation, Qoft stated: "I legit just work with Jacob," referring to their exclusive business partner Dort by first name.
In the same exchange, Qoft boasted that the two had stolen more than $250,000 worth of Microsoft Xbox Game Pass accounts by building a program that mass-created Game Pass identities using stolen payment card data.
Connecting the Handle to a Real Identity
The breach-tracking service Constella Intelligence found that the password associated with jay.miner232@gmail.com was reused by exactly one other email address: jacobbutler803@gmail.com. Notably, the 2020 dox of Dort listed a date of birth of August 2003 — a detail encoded as 8/03 — which aligns with the "803" in that email address.
A search of jacobbutler803@gmail.com at DomainTools.com reveals it was used in 2015 to register several Minecraft-themed domains, all attributed to a Jacob Butler in Ottawa, Canada, and associated with the Ottawa phone number 613-909-9727.
Additional Cross-References
Constella Intelligence also found that jacobbutler803@gmail.com was used to register an account on the hacker forum Nulled in 2016, as well as a Minecraft account under the name "M1CE." Pivoting from the password used by that Nulled account reveals it was shared by the email addresses j.a.y.m.iner232@gmail.com and jbutl3@ocdsb.ca — the latter belonging to a domain for the Ottawa-Carleton District School Board.
Data indexed by the breach-tracking service Spycloud suggests that Jacob Butler at one point shared a computer with his mother and a sibling, which may explain why multiple household email accounts were linked to the shared password "jacobsplugs." Neither Jacob Butler nor other members of the Butler household responded to initial requests for comment.
The open-source intelligence service Epieos found that jacobbutler803@gmail.com created the GitHub account "MemeClient." A deleted anonymous Pastebin.com post from 2017, indexed by Flashpoint, declared that MemeClient was created by a user named CPacket — one of Dort's earliest known aliases.
Jacob Butler Speaks: Denials and a Complicated Timeline
Following publication of this investigation, Jacob Butler reached out to KrebsOnSecurity via telephone. Butler said he had not seen earlier requests for comment because he had largely gone offline since 2021, after his home was swatted multiple times. He acknowledged creating and distributing a Minecraft cheat in the past but said he had not played the game in years and denied any involvement with Dortsolver or other activity attributed to the Dort handle after 2021.
"It was a really old cheat and I don't remember the name of it. I'm very stressed, man. I don't know if people are going to swat me again or what. After that, I pretty much walked away from everything, logged off and said fuck that. I don't go online anymore. I don't know why people would still be going after me, to be completely honest."
When asked about his current livelihood, Butler said he mostly stays home and helps his mother around the house, noting that he struggles with autism and social interaction. He maintained that someone must have compromised one or more of his old accounts and has been impersonating him as Dort online.
"Someone is actually probably impersonating me, and now I'm really worried. This is making me relive everything."
Problems With Butler's Account
Butler's timeline, however, presents notable inconsistencies. His voice in the phone conversation was remarkably similar to that of the Jacob/Dort heard in a September 2022 Clash of Code competition between Dort and another programmer — a recording in which Dort lost. At approximately 6 minutes and 10 seconds into that recording, Dort launches into a profanity-laden tirade that closely mirrors the language used in the DortDev diss track threatening Brundage. Dort's voice can be heard again around the 16-minute mark, and at approximately 26:00 Dort threatens to swat his opponent.
When confronted with this, Butler denied the voice was his, suggesting instead that someone may have cloned his voice.
"I would like to clarify that was absolutely not me. There must be someone using a voice changer. Or something of the sorts. Because people were cloning my voice before and sending audio clips of 'me' saying outrageous stuff."
Whether Butler's explanation holds up to scrutiny remains an open question. What is clear from the public record is that a substantial and interlocking web of digital evidence connects the Dort identity — and its escalating campaign of harassment, swatting, and DDoS attacks — to Jacob Butler of Ottawa, Canada.
Source: Krebs on Security