Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada – Krebs on Safety

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of constructing and working Kimwolf, a quick spreading Web-of-Issues botnet that enslaved tens of millions of units to be used in a collection of large distributed denial-of-service (DDoS) assaults over the previous six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns towards this creator and a safety researcher. He now faces prison hacking prices in each Canada and the US.

A prison criticism unsealed right this moment in an Alaska district court docket prices Jacob Butler, a.ok.a. “Dort,” of Ottawa, Canada with working the Kimwolf DDoS botnet. A statement from the Division of Justice says the criticism towards Butler was unsealed following the defendant’s arrest in Canada by the Ontario Provincial Police pursuant to a U.S. extradition warrant. Butler is at present in Canadian custody awaiting an preliminary court docket listening to scheduled for early subsequent week.

The federal government stated Kimwolf focused contaminated units which have been historically “firewalled” from the remainder of the web, akin to digital photograph frames and net cameras. The contaminated methods have been then rented to different cybercriminals, or pressured to take part in record-smashing DDoS assaults, in addition to assaults that affected Web deal with ranges for the Division of Protection. Consequently, the DoD’s Protection Prison Investigative Service is investigating the case, with help from the FBI area workplace in Anchorage.

“KimWolf was tied to DDoS assaults which have been measured at practically 30 Terabits per second, a report in recorded DDoS assault quantity,” the Justice Division assertion reads. “These assaults resulted in monetary losses which, for some victims, exceeded a million {dollars}. The KimWolf botnet is alleged to have issued over 25,000 assault instructions.”

On March 19, U.S. authorities joined worldwide regulation enforcement companions in seizing the technical infrastructure for Kimwolf and three different giant DDoS botnets — named Aisuru, JackSkid and Mossad — that have been all competing for a similar pool of weak units.

On February 28, KrebsOnSecurity identified Butler as the Kimwolf botmaster after digging by way of his varied e-mail addresses, registrations on the cybercrime boards, and posts to public Telegram and Discord servers. Nonetheless, Dort continued to threaten and harass researchers who helped monitor down his real-life identification and dramatically sluggish the unfold of his botnet.

Dort claimed accountability for at the least two swatting assaults concentrating on the founding father of Synthient, a safety startup that helped to secure a widespread critical security weakness that Kimwolf was utilizing to unfold quicker and extra successfully than some other IoT botnet on the market. Synthient was amongst many know-how firms thanked by the Justice Division right this moment, and Synthient’s founder Ben Brundage informed KrebsOnSecurity he’s relieved Butler is in custody.

“Hopefully this may finish the harassment,” Brundage stated.

An excerpt from the prison criticism towards Butler, detailing how he ordered a swatting assault towards Ben Brundage, the founding father of the safety agency Synthient.

The federal government says investigators related Butler to the administration of the KimWolf botnet by way of IP deal with, on-line account info, transaction data, and on-line messaging utility data obtained by way of the issuance of authorized course of. The criminal complaint against Butler (PDF) reveals he did little to separate his real-life and cybercriminal identities (one thing we demonstrated in our February unmasking of Dort).

In April, the Justice Division joined authorities throughout Europe in seizing domain names tied to almost four-dozen DDoS-for-hire companies, though due to a bureaucratic mix-up the checklist of seized domains has stay sealed till right this moment. The DOJ stated at the least a kind of companies collaborated with Butler’s Kimwolf botnet.

An announcement from the Ontario Provincial Police stated a search warrant was executed on March 19 at Butler’s deal with in Ottawa, the place they seized a number of units. Because of that investigation, Butler was arrested and charged this week with unauthorized consumer of laptop; possession of system to acquire unauthorized use of laptop system or to commit mischief; and mischief in relation to laptop knowledge. He’s scheduled to stay in custody till a listening to on Might 26.

In the US, Butler is dealing with one depend of aiding and abetting laptop intrusion. If extradited, tried and convicted in a U.S. court docket, Butler may withstand 10 years in jail, though that most sentence would probably be closely tempered by concerns within the U.S. Sentencing Pointers, which make allowances for mitigating components akin to youth, lack of prison historical past and stage of cooperation with investigators.