Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.
AI Analysis
Technical Summary
Jacob Butler, a Canadian resident, is accused of operating the Kimwolf botnet, which compromised millions of Internet-of-Things devices traditionally protected by firewalls, such as digital photo frames and webcams. The botnet was rented out to cybercriminals and used to launch record-breaking DDoS attacks, including targeting U.S. Department of Defense networks. The botnet's attack volume reached nearly 30 terabits per second, with over 25,000 attack commands issued. Butler was identified through digital forensics linking IP addresses, online accounts, and transaction records. His arrest followed coordinated law enforcement actions that also seized infrastructure of competing DDoS botnets and related DDoS-for-hire services. Butler faces charges in both Canada and the U.S., including unauthorized computer use and aiding computer intrusion. The case is under investigation by multiple agencies including the FBI and the DoD's Defense Criminal Investigative Service.
Potential Impact
The Kimwolf botnet caused significant disruption through massive DDoS attacks, including assaults on critical U.S. government infrastructure. Financial losses for some victims exceeded one million dollars. The botnet's scale and attack volume set records in DDoS history. Additionally, the botmaster engaged in harassment tactics such as doxing and swatting, posing physical safety risks to targeted individuals. The takedown of Kimwolf and related botnets disrupted a major source of DDoS attacks and cybercriminal activity. The arrest and charges against the operator represent a significant law enforcement success in combating large-scale IoT botnets.
Mitigation Recommendations
The technical infrastructure of the Kimwolf botnet has been seized by international law enforcement, effectively disrupting its operations. The botmaster is in custody facing criminal charges. No specific patch or remediation is applicable to this threat as it involves criminal botnet operation rather than a software vulnerability. Organizations should continue to apply best practices for securing IoT devices to reduce risk of compromise by similar botnets. Monitoring for related DDoS activity and collaborating with law enforcement remain important. Patch status is not applicable; the vendor advisory does not indicate any software patch or fix.
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
Description
Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Jacob Butler, a Canadian resident, is accused of operating the Kimwolf botnet, which compromised millions of Internet-of-Things devices traditionally protected by firewalls, such as digital photo frames and webcams. The botnet was rented out to cybercriminals and used to launch record-breaking DDoS attacks, including targeting U.S. Department of Defense networks. The botnet's attack volume reached nearly 30 terabits per second, with over 25,000 attack commands issued. Butler was identified through digital forensics linking IP addresses, online accounts, and transaction records. His arrest followed coordinated law enforcement actions that also seized infrastructure of competing DDoS botnets and related DDoS-for-hire services. Butler faces charges in both Canada and the U.S., including unauthorized computer use and aiding computer intrusion. The case is under investigation by multiple agencies including the FBI and the DoD's Defense Criminal Investigative Service.
Potential Impact
The Kimwolf botnet caused significant disruption through massive DDoS attacks, including assaults on critical U.S. government infrastructure. Financial losses for some victims exceeded one million dollars. The botnet's scale and attack volume set records in DDoS history. Additionally, the botmaster engaged in harassment tactics such as doxing and swatting, posing physical safety risks to targeted individuals. The takedown of Kimwolf and related botnets disrupted a major source of DDoS attacks and cybercriminal activity. The arrest and charges against the operator represent a significant law enforcement success in combating large-scale IoT botnets.
Mitigation Recommendations
The technical infrastructure of the Kimwolf botnet has been seized by international law enforcement, effectively disrupting its operations. The botmaster is in custody facing criminal charges. No specific patch or remediation is applicable to this threat as it involves criminal botnet operation rather than a software vulnerability. Organizations should continue to apply best practices for securing IoT devices to reduce risk of compromise by similar botnets. Monitoring for related DDoS activity and collaborating with law enforcement remain important. Patch status is not applicable; the vendor advisory does not indicate any software patch or fix.
Technical Details
- Article Source
- {"url":"https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada/","fetched":true,"fetchedAt":"2026-05-26T19:40:53.985Z","wordCount":1523}
Threat ID: 6a15f7466b9ae66727f4dbc2
Added to database: 5/26/2026, 7:40:54 PM
Last enriched: 5/26/2026, 7:41:26 PM
Last updated: 5/26/2026, 11:00:06 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.