Kimwolf Botnet Operator 'Dort' Arrested in Canada, Charged in US

Jacob Butler, known in cybercrime circles as "Dort," has been arrested in Canada and faces criminal charges in both the United States and Canada for allegedly operating the Kimwolf IoT botnet. The Ontario Provincial Police apprehended Butler pursuant to a U.S. extradition warrant, and he is currently in Canadian custody awaiting an initial court hearing. A criminal complaint unsealed in an Alaska district court charges Butler with operating the Kimwolf DDoS botnet, which enslaved millions of devices including digital photo frames and web cameras traditionally "firewalled" from the internet.

The Kimwolf botnet was responsible for record-smashing DDoS attacks measured at nearly 30 terabits per second—the highest recorded DDoS attack volume in history. According to the Department of Justice, these attacks resulted in financial losses exceeding one million dollars for some victims and targeted Internet address ranges associated with the Department of Defense. The Defense Criminal Investigative Service is investigating the case alongside the FBI field office in Anchorage. The botnet issued over 25,000 attack commands and was rented to other cybercriminals for conducting large-scale DDoS operations.

On March 19, U.S. authorities, in coordination with international law enforcement partners, seized the technical infrastructure supporting Kimwolf and three other large DDoS botnets—Aisuru, JackSkid, and Mossad—all competing for the same pool of vulnerable IoT devices. KrebsOnSecurity initially identified Butler as the Kimwolf botmaster on February 28 by analyzing his email addresses, cybercrime forum registrations, and posts to public Telegram and Discord servers. Following the identification, Butler allegedly launched volley of DDoS attacks, doxing, and swatting campaigns against security researcher and Synthient founder Ben Brundage, whose startup helped secure a critical vulnerability that Kimwolf was exploiting to spread faster than any other IoT botnet.

Security professionals recommend using tools like our email breach checker to determine if accounts have been compromised in related data breaches, and our DNS leak test to verify that DNS queries are properly routed through secure channels and not being exploited by botnets. Additionally, users can run a VPN/proxy detector to check for potential man-in-the-middle configurations that attackers may use to intercept traffic. Organizations should also conduct regular port scanner assessments to identify exposed services that could be leveraged by similar botnet operators.