What are you looking for?

Who’s the Kimwolf Botmaster “Dort”? – Krebs on Safety

abaidmirza April 26, 2026

Who’s the Kimwolf Botmaster “Dort”? – Krebs on Safety

In early January 2026, KrebsOnSecurity revealed how a safety researcher disclosed a vulnerability that was used to construct Kimwolf, the world’s largest and most disruptive botnet. Since then, the individual answerable for Kimwolf — who goes by the deal with “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and electronic mail flooding assaults in opposition to the researcher and this creator, and extra just lately brought about a SWAT crew to be despatched to the researcher’s residence. This put up examines what’s knowable about Dort based mostly on public info.

A public “dox” created in 2020 asserted Dort was an adolescent from Canada (DOB August 2003) who used the aliases “CPacket” and “M1ce.” A search on the username CPacket on the open supply intelligence platform OSINT Industries finds a GitHub account beneath the names Dort and CPacket that was created in 2017 utilizing the e-mail deal with jay.miner232@gmail.com.

Picture: osint.industries.

The cyber intelligence agency Intel 471 says jay.miner232@gmail.com was used between 2015 and 2019 to create accounts at a number of cybercrime boards, together with Nulled (username “Uubuntuu”) and Cracked (consumer “Dorted”); Intel 471 experiences that each of those accounts have been created from the identical Web deal with at Rogers Canada (99.241.112.24).

Dort was an especially energetic participant within the Microsoft sport Minecraft who gained notoriety for his or her “Dortware” software program that helped gamers cheat. However someplace alongside the way in which, Dort graduated from hacking Minecraft video games to enabling way more severe crimes.

Dort additionally used the nickname DortDev, an identification that was energetic in March 2022 on the chat server for the prolific cybercrime group often known as LAPSUS$. Dort peddled a service for registering short-term electronic mail addresses, in addition to “Dortsolver,” code that would bypass numerous CAPTCHA companies designed to stop automated account abuse. Each of those choices have been marketed in 2022 on SIM Land, a Telegram channel devoted to SIM-swapping and account takeover exercise.

The cyber intelligence agency Flashpoint listed 2022 posts on SIM Land by Dort that present this individual developed the disposable electronic mail and CAPTCHA bypass companies with the assistance of one other hacker who glided by the deal with “Qoft.”

“I legit simply work with Jacob,” Qoft mentioned in 2022 in reply to a different consumer, referring to their unique enterprise associate Dort. In the identical dialog, Qoft bragged that the 2 had stolen greater than $250,000 price of Microsoft Xbox Game Pass accounts by growing a program that mass-created Recreation Go identities utilizing stolen fee card information.

Who’s the Jacob that Qoft known as their enterprise associate? The breach monitoring service Constella Intelligence finds the password utilized by jay.miner232@gmail.com was reused by only one different electronic mail deal with: jacobbutler803@gmail.com. Recall that the 2020 dox of Dort mentioned their date of start was August 2003 (8/03).

Looking out this electronic mail deal with at DomainTools.com reveals it was utilized in 2015 to register a number of Minecraft-themed domains, all assigned to a Jacob Butler in Ottawa, Canada and to the Ottawa telephone quantity 613-909-9727.

Constella Intelligence finds jacobbutler803@gmail.com was used to register an account on the hacker discussion board Nulled in 2016, in addition to the account identify “M1CE” on Minecraft. Pivoting off the password utilized by their Nulled account exhibits it was shared by the e-mail addresses j.a.y.m.iner232@gmail.com and jbutl3@ocdsb.ca, the latter being an deal with at a website for the Ottawa-Carelton District Faculty Board.

Knowledge listed by the breach monitoring service Spycloud means that at one level Jacob Butler shared a pc together with his mom and a sibling, which could clarify why their electronic mail accounts have been linked to the password “jacobsplugs.” Neither Jacob nor any of the opposite Butler family members responded to requests for remark.

The open supply intelligence service Epieos finds jacobbutler803@gmail.com created the GitHub account “MemeClient.” In the meantime, Flashpoint listed a deleted nameless Pastebin.com put up from 2017 declaring that MemeClient was the creation of a consumer named CPacket — one in all Dort’s early monikers.

Why is Dort so mad? On January 2, KrebsOnSecurity revealed The Kimwolf Botnet is Stalking Your Local Network, which explored analysis into the botnet by Benjamin Brundage, founding father of the proxy monitoring service Synthient. Brundage found out that the Kimwolf botmasters have been exploiting a little-known weak spot in residential proxy companies to contaminate poorly-defended gadgets — like TV containers and digital picture frames — plugged into the interior, personal networks of proxy endpoints.

By the point that story went dwell, a lot of the susceptible proxy suppliers had been notified by Brundage and had mounted the weaknesses of their techniques. That vulnerability remediation course of massively slowed Kimwolf’s capacity to unfold, and inside hours of the story’s publication Dort created a Discord server in my identify that started publishing private details about and violent threats in opposition to Brundage, Yours Really, and others.

Dort and pals incriminating themselves by planning swatting assaults in a public Discord server.

Final week, Dort and pals used that very same Discord server (then named “Krebs’s Koinbase Kallers”) to threaten a swatting assault in opposition to Brundage, once more posting his residence deal with and private info. Brundage informed KrebsOnSecurity that native law enforcement officials subsequently visited his residence in response to a swatting hoax which occurred across the identical time that one other member of the server posted a door emoji and taunted Brundage additional.

Dort, utilizing the alias “Meow,” taunts Synthient founder Ben Brundage with an image of a door.

Somebody on the server then linked to a cringeworthy (and NSFW) new Soundcloud diss track recorded by the consumer DortDev that included a stickied message from Dort saying, “Ur lifeless nigga. u higher watch ur fucking again. sleep with one eye open. bitch.”

“It’s a fairly hefty penny for a brand new entrance door,” the diss observe intoned. “If his head doesn’t get blown off by SWAT officers. What’s it like not having a entrance door?”

Optimistically, Dort will quickly have the ability to inform us all precisely what it’s like.

Replace, 10:29 a.m.: Jacob Butler responded to requests for remark, talking with KrebsOnSecurity briefly by way of phone. Butler mentioned he didn’t discover earlier requests for remark as a result of he hasn’t actually been on-line since 2021, after his residence was swatted a number of instances. He acknowledged making and distributing a Minecraft cheat way back, however mentioned he hasn’t performed the sport in years and was not concerned in Dortsolver or some other exercise attributed to the Dort nickname after 2021.

“It was a extremely previous cheat and I don’t bear in mind the identify of it,” Butler mentioned of his Minecraft modification. “I’m very pressured, man. I don’t know if individuals are going to swat me once more or what. After that, I just about walked away from all the things, logged off and mentioned fuck that. I don’t go browsing anymore. I don’t know why individuals would nonetheless be going after me, to be utterly trustworthy.”

When requested what he does for a residing, Butler mentioned he largely stays residence and helps his mother round the home as a result of he struggles with autism and social interplay. He maintains that somebody will need to have compromised a number of of his previous accounts and is impersonating him on-line as Dort.

“Somebody is definitely most likely impersonating me, and now I’m actually apprehensive,” Butler mentioned. “That is making me relive all the things.”

However there are points with Butler’s timeline. For instance, Jacob’s voice in our telephone dialog was remarkably just like the Jacob/Dort whose voice could be heard in this Sept. 2022 Clash of Code competition between Dort and one other coder (Dort misplaced). At round 6 minutes and 10 seconds into the recording, Dort launches right into a cursing tirade that mirrors the stream of profanity within the diss rap that Dortdev posted threatening Brundage. Dort could be heard once more at round 16 minutes; at round 26:00, Dort threatens to swat his opponent.

Butler mentioned the voice of Dort shouldn’t be his, precisely, however moderately that of an impersonator who had doubtless cloned his voice.

“I want to make clear that was completely not me,” Butler mentioned. “There should be somebody utilizing a voice changer. Or one thing of the kinds. As a result of individuals have been cloning my voice earlier than and sending audio clips of ‘me’ saying outrageous stuff.”

Additional studying:

Jan. 8, 2026: Who Benefited from the Aisuru and Kimwolf Botnets?

Jan. 20, 2026: Kimwolf Botnet Lurking in Corporate, Govt. Networks

Jan. 26, 2026: Who Operates the Badbox 2.0 Botnet?

Feb. 11, 2026: Kimwolf Botnet Swamps Anonymity Network I2P

Mar. 19, 2026: Feds Disrupt IoT Botnets Behind Huge DDoS Attacks


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Comments

No comments to show.

Category