Alleged Kimwolf Botmaster 'Dort' Charged Following Global Botnet Takedown
Jacob Butler, 23, faces hacking charges in the U.S. and Canada for allegedly operating an IoT botnet that launched record-shattering DDoS attacks.
Primary source: Krebs on Security. Full source links and update notes are below.
Fast summary
Start here
- Jacob Butler (alias 'Dort') was arrested by Ontario Provincial Police on a U.S. extradition warrant related to the Kimwolf botnet.
- The Kimwolf botnet utilized millions of IoT devices to launch DDoS attacks reaching a record 30 terabits per second.
- Butler is accused of targeting Department of Defense infrastructure and orchestrating swatting attacks against security researchers.
What happened
Canadian authorities arrested 23-year-old Jacob Butler of Ottawa on suspicion of building and operating Kimwolf, a massive Internet-of-Things (IoT) botnet. Butler, known online as 'Dort,' was taken into custody by the Ontario Provincial Police following a U.S. extradition warrant. A criminal complaint unsealed in an Alaska district court charges him with operating a network that enslaved millions of digital devices for large-scale cyberattacks over the past six months.
What's new in this update
The unsealed U.S. complaint reveals the massive scale of the Kimwolf operation, which recorded DDoS attack volumes of nearly 30 terabits per second—a historical record. Investigators formally linked Butler to the botnet through IP addresses, transaction records, and messaging app logs. Additionally, the Department of Justice revealed that Kimwolf collaborated with at least one of nearly four-dozen DDoS-for-hire services whose domains were recently seized by international authorities.
Key details
The botnet specifically targeted vulnerable devices like digital photo frames and web cameras, often those behind firewalls. These infected systems were rented out to other criminals or used to assault Department of Defense internet ranges. Beyond technical hacking, Butler is alleged to have issued over 25,000 attack commands and orchestrated 'swatting' and doxing campaigns against security researchers who were tracking his activity, including the founder of the security startup Synthient.
Background and context
In February 2026, KrebsOnSecurity publicly identified Butler as the botmaster after analyzing his digital footprint across cybercrime forums and messaging platforms like Telegram. Despite being unmasked, Butler allegedly continued to harass researchers and claimed responsibility for at least two swatting attacks. In March, law enforcement agencies successfully seized the technical infrastructure for Kimwolf along with competing botnets named Aisuru, JackSkid, and Mossad.
What to watch next
Butler remains in Canadian custody awaiting an initial court hearing scheduled for early next week. The U.S. government is expected to proceed with extradition efforts to bring him to trial in Alaska. Meanwhile, the Department of Justice and international partners continue to investigate the broader network of DDoS-for-hire services that collaborated with the Kimwolf botnet.
Why it matters
The arrest marks a major strike against high-volume DDoS infrastructure and demonstrates the efficacy of international cooperation in dismantling criminal IoT botnets.
Read next
Follow this story through the topic hub, more security coverage, and the latest updates.
Weekly briefing
Get the week's key developments in one concise email.
Get a fast catch-up on the biggest stories, the context behind them, and the links worth your time.
Cadence
Weekly, for a quick catch-up
Coverage
AI, business, world, security, sports
Format
Clear takeaways and useful context
Request the briefing
Leave your email to open a prepared request and get on the list for the weekly briefing.
Author
See who assembled this story and follow more of their work.
Sources and methodology