A 23-year-old Ottawa man accused of building and running the most destructive denial-of-service botnet ever recorded was arrested Wednesday by Ontario Provincial Police and now faces federal charges in the United States, the Justice Department announced May 21, 2026. Jacob Butler — known online as "Dort" — is alleged to have turned more than one million ordinary consumer gadgets into weapons capable of generating nearly 30 terabits per second of attack traffic, a volume prosecutors described as a record in DDoS history, causing financial losses that exceeded one million dollars for some victims.
Butler was taken into custody pursuant to a U.S. extradition warrant. A criminal complaint filed April 10 in the District of Alaska was kept sealed pending his arrest and unsealed Thursday. He is charged with one count of aiding and abetting computer intrusion, which carries a maximum penalty of ten years in federal prison. Butler remains in Canadian custody ahead of a hearing scheduled for May 26.
KimWolf Botnet Recruited Photo Frames and Web Cameras as Attack Weapons
What distinguished KimWolf from earlier generations of botnets was not merely its scale but its infection strategy. Where conventional botnets targeted routers and internet-facing servers, KimWolf specifically sought out devices sitting behind home firewalls — streaming TV boxes, digital photo frames, web cameras, and Android-based media players — hardware that most users and most security tools never think to monitor.
Once KimWolf compromised a device, it enrolled that machine in a commercially operated attack network. Customers could purchase access to the botnet's firepower through what prosecutors describe as a "DDoS-for-hire" or "cybercrime as a service" model: pay a fee, select a target, and direct millions of infected devices to flood that target with traffic until it collapsed. The botnet issued more than 25,000 attack commands over its operational lifetime, according to court documents.
The technique that made KimWolf unusually difficult to detect or block was its exploitation of residential proxy networks — services that route internet traffic through consumer devices to make it appear to originate from ordinary home connections rather than data centers. Security researcher Benjamin Brundage, founder of the startup Synthient, identified the vulnerability in late 2025: many residential proxy services were not adequately blocking customers from forwarding requests to the internal networks of proxy endpoints, giving an attacker the ability to reach devices that had no direct exposure to the open internet. KimWolf grew to approximately two million infected devices by abusing this weakness, generating roughly 12 million unique IP addresses each week.
Jacob Butler Denied Being "Dort" Until Court Documents Proved Otherwise
Butler was first publicly linked to KimWolf in February 2026 by cybersecurity journalist Brian Krebs, who traced the operator known as "Dort" through email addresses, cybercrime forum registrations, and posts on public Telegram and Discord servers. At the time, Butler denied any involvement, claiming he had not used the "Dort" persona since 2021 and that another party had taken over his former account.
The denial did not hold. According to the criminal complaint, investigators connected Butler to the botnet's administration through his IP address, online account information, financial transaction records, and messaging application records obtained through legal process. Prosecutors say those records directly link Butler to KimWolf's command-and-control infrastructure.
In the months between Krebs's public identification of Butler in February and his arrest in May, Butler allegedly continued operating — and retaliating. Krebs reported that Butler, as "Dort," claimed responsibility for at least two swatting attacks targeting Brundage, whose firm Synthient had identified and helped close the residential proxy vulnerability that KimWolf relied on for rapid growth. Brundage told Krebs he was relieved by the arrest: "Hopefully this will end the harassment."
Home Devices Attacked Pentagon, Extorted Businesses
The scale of harm documented in court filings spans consumer victims, private businesses, and U.S. military infrastructure. In at least one instance, a KimWolf attack targeted IP address ranges belonging to the Department of Defense Information Network, the global network supporting the Pentagon and military operations worldwide. The Defense Criminal Investigative Service is investigating the case with assistance from the FBI's Anchorage field office.
For private-sector victims, prosecutors say financial losses from KimWolf attacks sometimes exceeded one million dollars per organization, combining remediation costs and ransom payments demanded by operators who offered to halt attacks in exchange for payment. Court documents indicate one financial services company reported losses exceeding four million dollars. Zach Edwards, a staff threat researcher at security firm Infoblox, told CyberScoop the botnet had broader applications than DDoS alone: "Kimwolf and the botnets associated with this operation have supported persistent corporate intrusion efforts and been used by a wide range of serious threat actors."
Cloudflare, which automatically detected and mitigated the largest recorded KimWolf attack — a burst peaking at 31.4 terabits per second in November 2025, sustained for 35 seconds — had previously warned that the botnet's scale meant it could "cripple critical infrastructure, crash most legacy cloud-based DDoS protection solutions, and even disrupt the connectivity of entire nations."
International Operation Shut Down Four Botnets in March
Butler's arrest is the human accountability phase of a broader enforcement action that began on March 19, 2026. On that date, the Justice Department, along with law enforcement partners in Canada and Germany — including Germany's Bundeskriminalamt and Canada's Royal Canadian Mounted Police, Ontario Provincial Police, and Sûreté du Québec — executed a coordinated court-authorized operation to seize the command-and-control infrastructure of four major IoT botnets: KimWolf, Aisuru, JackSkid, and Mossad.
The four botnets combined had infected more than three million devices globally, with hundreds of thousands in the United States. Together they issued hundreds of thousands of attack commands against targets worldwide. Amazon Web Services played a direct technical role: according to The Record's reporting on the March operation, Tom Scholl, an AWS vice president, wrote that the company helped the FBI and Department of Defense identify KimWolf's command-and-control servers and reverse-engineered the botnet's malware to understand how it propagated and operated.
The March operation also involved technical assistance from Akamai, Cloudflare, Google, DigitalOcean, Nokia, Oracle, Sony Interactive Entertainment, Synthient, Team Cymru, and more than a dozen other technology companies and security organizations.
How Does KimWolf Infect Home IoT Devices?
Alongside Butler's arrest, the Justice Department unsealed seizure warrants in the Central District of California targeting 45 additional DDoS-for-hire platforms, including at least one that prosecutors say collaborated directly with Butler's KimWolf botnet. Domain records for many of these services were seized and redirected to a government splash page warning potential users that DDoS-for-hire services are illegal.
Security researchers say the enforcement campaign addresses a structural vulnerability that has grown more acute as consumer IoT devices proliferate with little or no ongoing security support from manufacturers. KimWolf's growth from zero to nearly two million infected devices in roughly six months — an increase of more than 700 percent in attack capacity within a single year, according to Cloudflare's Q4 2025 DDoS threat report — illustrates how quickly residential proxy abuse can scale when the underlying device population is large, poorly monitored, and rarely updated.
For home users, the practical guidance from security researchers is consistent: isolate IoT devices on a separate network or VLAN from computers and storage devices, apply firmware updates when available, and treat cheap Android TV boxes or no-name connected hardware as inherently untrusted.
Frequently Asked Questions
What is the KimWolf botnet and how did it work?
KimWolf was a DDoS-for-hire service that infected more than one million consumer internet-connected devices — including streaming TV boxes, web cameras, and digital photo frames — and rented access to their combined firepower to paying customers who used them to overwhelm targeted websites and networks. It exploited a vulnerability in residential proxy services to reach devices sitting behind home firewalls, making its traffic appear to originate from ordinary households rather than criminal infrastructure.
How can I tell if my home device was infected by a botnet like KimWolf?
Signs of infection on IoT devices can include unexplained high CPU or network activity, unexpected open ports, unusual DNS queries, or devices that run unusually hot. Security researchers recommend isolating smart TVs and IoT hardware on a separate guest network or VLAN, applying all available firmware updates, and replacing low-cost Android TV boxes from unknown manufacturers, which are particularly common infection targets. There is no publicly available dedicated KimWolf removal tool; factory resetting and firmware updates are the standard remediation.
What charges does Jacob Butler face in the United States and Canada?
In the United States, Butler is charged with one count of aiding and abetting computer intrusion, which carries a maximum sentence of ten years in federal prison. In Canada, he faces charges of unauthorized use of a computer, possession of a device to obtain unauthorized use of a computer system, and mischief in relation to computer data. He currently remains in Canadian custody pending a hearing scheduled for May 26, 2026, with U.S. extradition proceedings expected to follow.
What is a DDoS-for-hire service?
A DDoS-for-hire service, sometimes called a "booter" or "stresser," lets paying customers direct denial-of-service attacks at targets of their choosing without needing technical knowledge to build the attack infrastructure themselves. Operators maintain a network of compromised devices and sell attack time in the same way a cloud provider sells computing time. The Justice Department has prosecuted multiple operators of such services and, alongside Butler's arrest, seized warrants targeting 45 additional DDoS-for-hire platforms in May 2026.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
