On Wednesday, Canadian officials arrested a 23-year-old man from Ottawa for allegedly creating and running Kimwolf, a rapidly expanding Internet-of-Things (IoT) botnet that hijacked millions of devices to carry out a wave of massive distributed denial-of-service (DDoS) attacks over the past six months. In February 2026, KrebsOnSecurity publicly identified the suspect after he launched a series of DDoS attacks, doxing attempts, and swatting incidents targeting this reporter and a security researcher. He now faces criminal hacking charges in both Canada and the United States.
A criminal complaint unsealed today in an Alaska district court charges Jacob Butler, also known as “Dort,” from Ottawa, Canada, with operating the Kimwolf DDoS botnet. According to a Department of Justice statement, the complaint was made public after Butler was arrested in Canada by the Ontario Provincial Police under a U.S. extradition warrant. He remains in Canadian custody and is scheduled for an initial court hearing early next week.
Authorities stated that Kimwolf specifically targeted devices typically shielded from direct internet access—such as digital photo frames and webcams. Once compromised, these devices were either rented out to other cybercriminals or forced to participate in record-breaking DDoS attacks, including those that disrupted IP address ranges belonging to the Department of Defense. As a result, the DoD’s Defense Criminal Investigative Service is leading the investigation, with support from the FBI’s Anchorage field office.
“KimWolf was linked to DDoS attacks reaching nearly 30 terabits per second—the highest volume ever recorded,” the Justice Department noted. “These attacks caused financial damages exceeding one million dollars for some victims. The KimWolf botnet is accused of issuing more than 25,000 attack commands.”
On March 19, U.S. authorities, working with international law enforcement partners, dismantled the technical infrastructure behind Kimwolf and three other major DDoS botnets—Aisuru, JackSkid, and Mossad—all of which were competing for control of the same pool of vulnerable IoT devices.
On February 28, KrebsOnSecurity exposed Butler as the operator of Kimwolf by tracing his email addresses, cybercrime forum registrations, and public posts on Telegram and Discord. Despite being unmasked, Dort continued to threaten and harass researchers who helped uncover his identity and significantly slowed the botnet’s growth.
Dort claimed responsibility for at least two swatting attacks targeting the founder of Synthient, a cybersecurity startup that played a key role in patching a critical vulnerability exploited by Kimwolf to spread faster and more efficiently than any other IoT botnet. Synthient was among several tech companies acknowledged by the Justice Department today. Its founder, Ben Brundage, told KrebsOnSecurity he’s relieved Butler is now in custody.
“Hopefully this will end the harassment,” Brundage said.
An excerpt from the criminal complaint against Butler, detailing how he ordered a swatting attack against Ben Brundage, the founder of the security firm Synthient.
Investigators linked Butler to the Kimwolf botnet using IP addresses, online account details, transaction records, and messages obtained through legal subpoenas. The criminal complaint (PDF) reveals he made little effort to separate his real identity from his criminal online persona—a fact previously demonstrated in KrebsOnSecurity’s February exposé on Dort.
In April, the Justice Department collaborated with European authorities to seize domain names associated with nearly 48 DDoS-for-hire services. Due to an administrative error, the list of seized domains remained sealed until today. The DOJ confirmed that at least one of these services worked with Butler’s Kimwolf botnet.
The Ontario Provincial Police reported that a search warrant was executed on March 19 at Butler’s Ottawa residence, resulting in the seizure of multiple electronic devices. Based on the findings, Butler was arrested and charged this week with unauthorized use of a computer, possession of a device for unauthorized computer access or mischief, and computer-related mischief. He will remain in custody until a hearing scheduled for May 26.
In the United States, Butler faces one count of aiding and abetting computer intrusion. If extradited, tried, and convicted, he could receive up to 10 years in prison. However, the actual sentence would likely be reduced under U.S. Sentencing Guidelines, which consider mitigating factors such as his young age, lack of prior criminal record, and level of cooperation with investigators.
