Back

Jacob Butler Arrested for Operating KimWolf DDoS Botnet

Severity: High (Score: 68.0)

Sources: Cyberscoop, www.justice.gov, Cybersecuritynews, Securityaffairs.Co, Feeds2.Feedburner

Published: 2026-05-22 · Updated: 2026-05-22

Keywords: kimwolf, arrested, alleged, botnet, canada, authorities, canadian

Severity indicators: ot, botnet

Summary

Jacob Butler, a 23-year-old from Ottawa, Canada, was arrested for operating the KimWolf DDoS botnet, which infected over 2 million devices worldwide. The botnet utilized a DDoS-for-hire model, launching more than 25,000 attacks that caused financial losses exceeding $1 million for some victims. U.S. authorities unsealed a criminal complaint charging Butler with aiding and abetting computer intrusion, carrying a potential 10-year prison sentence. The KimWolf botnet targeted IoT devices, including digital cameras and Android TV boxes, leveraging vulnerabilities in residential proxy networks. The arrest followed a coordinated international law enforcement operation that seized infrastructure supporting multiple botnets. Butler's extradition to the U.S. is pending as he faces charges in both Canada and the United States. Key Points: • Jacob Butler, aka 'Dort', arrested for operating the KimWolf DDoS botnet. • KimWolf infected over 2 million devices and launched more than 25,000 attacks. • Butler faces up to 10 years in prison if convicted of aiding computer intrusion.

Detailed Analysis

**Impact** The KimWolf botnet infected over 1.9 million IoT devices globally, including digital photo frames, web cameras, Android TV boxes, and streaming devices, with significant presence in the United States and Canada. It launched more than 25,000 DDoS attacks, some reaching nearly 30 terabits per second, causing network outages and financial losses exceeding $1 million for certain victims. Targets included corporate networks and Department of Defense Information Network IP addresses, affecting sectors such as government, finance, and agriculture across multiple geographies. **Technical Details** KimWolf operated as a DDoS-for-hire service leveraging compromised IoT devices through exploitation of vulnerabilities in residential proxy networks and unsecured devices. The botnet infrastructure included command-and-control servers seized in a coordinated international operation alongside related botnets Aisuru, JackSkid, and Mossad. Attribution to Jacob Butler was based on IP address overlaps, online account and transaction records, and messaging application logs. The botnet issued over 25,000 attack commands and abused proxy/VPN IPs, though operational security lapses exposed its operators. **Recommended Response** Defenders should prioritize securing IoT devices by applying firmware updates and disabling unnecessary services to reduce attack surface. Network monitoring should focus on detecting unusual outbound traffic patterns indicative of botnet activity and blocking known KimWolf-related IP addresses and domains seized by law enforcement. Organizations should implement rate limiting and DDoS mitigation controls, especially on critical infrastructure and government-facing networks. Continuous threat intelligence updates and collaboration with law enforcement are advised to track emerging variants.

Source articles (11)

  • Alleged leader of Kimwolf, a sweeping botnet for cybercriminals, arrested in Canada — Cyberscoop · 2026-05-21
    Authorities arrested and unsealed charges against a Canadian man accused of running Kimwolf , one of the most far-reaching DDoS botnets on record, the Justice Department said Thursday. Jacob Butler wa…
  • Canadian Man Arrested International Authorities Charged Administrating Kimwolf Ddos — www.justice.gov · 2026-05-22
  • Suspected KimWolf botnet admin arrested over DDoS-for — Feeds2.Feedburner · 2026-05-22
    U.S. and Canadian authorities arrested and charged a Canadian man accused of operating the KimWolf DDoS botnet, a service linked to attacks that infected more than one million devices worldwide. Jacob…
  • US and Canada arrest and charge suspected Kimwolf botnet admin — Bleepingcomputer · 2026-05-22
    U.S. and Canadian authorities arrested and charged a Canadian man with operating the KimWolf distributed denial-of-service (DDoS) botnet, which infected nearly two million devices worldwide. 23-year-o…
  • Canadian Arrested for Operating KimWolf DDoS IoT Botnet — Technadu · 2026-05-22
    A criminal complaint unsealed in the District of Alaska has charged Jacob Butler, a 23-year-old resident of Ottawa, Canada, known online as "Dort," with operating the KimWolf Distributed Denial of Ser…
  • Canada's Jacob Butler arrested by international authorities, charged with KimWolf DDoS ... — Gazettengr · 2026-05-22
    A criminal complaint has been unsealed charging a Canadian man with operating the KimWolf Distributed Denial of Service Internet of Things botnet. A criminal complaint has been unsealed charging a Can…
  • Authorities arrest 23-year — Securityaffairs.Co · 2026-05-22
    Canadian authorities arrested a 23-year-old Ottawa man accused of running the Kimwolf DDoS botnet. The US is now seeking extradition. US authorities have charged 23-year-old Jacob Butler (aka “Dort”),…
  • Canadian Man Arrested for Operating KimWolf DDoS Botnet Hacking 2 Million Devices — Cybersecuritynews · 2026-05-22
    Canadian and U.S. authorities have arrested and charged a 23‑year‑old Ottawa resident for allegedly operating “KimWolf,” a massive Internet‑of‑Things (IoT) DDoS‑for‑hire botnet that weaponized more th…
  • Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada — Feeds.Feedburner · 2026-05-21
    Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use…
  • U.S. officials seeking extradition of Ottawa man accused of record cyberattack — Ca.News.Yahoo · 2026-05-22
    A 23-year-old Ottawa man is facing extradition to the United States after being accused of involvement in massive cyberattacks that affected more than a million devices worldwide. Ontario Provincial P…
  • International cybercrime investigation leads to arrest of Ottawa man — Ca.News.Yahoo · 2026-05-21
    An Ottawa man has been arrested following an international cybercrime investigation into a major “botnet” operation that is alleged to have infected millions of devices with malware. The Ontario Provi…

Timeline

  • 2026-01-01 — Investigation into KimWolf and Aisuru initiated: Ontario Provincial Police began probing botnet operations believed to cause major DDoS attacks.
  • 2026-03-19 — Law enforcement operation executed: Authorities seized multiple electronic devices from Butler's residence in Ottawa as part of a coordinated operation.
  • 2026-04-10 — Criminal complaint filed against Butler: U.S. authorities filed charges against Butler in the District of Alaska, unsealed after his arrest.
  • 2026-05-18 — Butler arrested in Ottawa: Canadian authorities arrested Jacob Butler under an extradition warrant related to his role in the KimWolf botnet.
  • 2026-05-22 — Charges unsealed following arrest: U.S. officials unsealed charges against Butler, detailing his involvement in the KimWolf botnet operations.

Related entities

  • Data Breach (Attack Type)
  • DDoS (Attack Type)
  • Canada Revenue Agency (Company)
  • Synthient (Company)
  • University Of Toronto (Company)
  • U.S. Department Of Defense Information Network (Company)
  • Mossad (Company)
  • Brazil (Country)
  • Canada (Country)
  • Germany (Country)
  • United States (Country)
  • ontariocrimestoppers.ca (Domain)
  • Financial (Industry)
  • Aisuru (Malware)
  • JackSkid (Malware)
  • Kimwolf (Malware)
  • Mirai (Malware)
  • ShadowV2 (Malware)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1499 - Endpoint Denial of Service (Mitre Attack)
  • Android (Platform)
  • Android TV (Platform)
  • Canvas (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed