Skip to main content
Emerging ThreatsMalware & Ransomware

Botmaster 'Dort' Arrested in Canada, Charged in US Over Kimwolf Botnet

Law enforcement scene with Ontario Provincial Police emblem, daylight through tall windows.

"KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume," the Department of Justice said in a statement unsealed May 22, 2026.

Arrest and charges against Jacob Butler, a.k.a. "Dort"

Canadian authorities arrested a 23‑year‑old man from Ottawa on Wednesday on suspicion of building and operating the Kimwolf botnet. A criminal complaint unsealed in an Alaska district court identifies the suspect as Jacob Butler, also known online as "Dort." The Department of Justice said Butler was arrested in Canada by the Ontario Provincial Police pursuant to a U.S. extradition warrant and is in Canadian custody awaiting an initial court hearing; Ontario police said Butler is scheduled to remain in custody until a hearing on May 26.

In Canada, Butler faces charges including unauthorized use of a computer; possession of a device to obtain unauthorized use of a computer system or to commit mischief; and mischief in relation to computer data. In the United States he is charged with one count of aiding and abetting computer intrusion, a charge that carries a maximum statutory sentence of up to 10 years if convicted — a maximum the DOJ said would likely be tempered by U.S. Sentencing Guidelines considerations such as youth, lack of criminal history and cooperation.

Scale and methods: how Kimwolf operated

The Justice Department describes Kimwolf as an Internet‑of‑Things (IoT) botnet that infected devices normally "firewalled" from the broader Internet — examples cited include digital photo frames and web cameras. The government alleges the botnet issued more than 25,000 attack commands and was tied to DDoS attacks measured at nearly 30 Tbps. Investigators say infected systems were rented to other cybercriminals or forced to participate in record‑smashing DDoS campaigns that produced financial losses for some victims exceeding one million dollars.

Collateral harms: swatting, doxing, and effects on Department of Defense address space

Beyond volumetric disruption, the complaint links Butler to harassment campaigns. KrebsOnSecurity publicly identified Butler on February 28 after tracing email addresses, forum registrations, and posts to Telegram and Discord; the unsealed complaint says Butler continued to threaten and harass researchers who helped identify him. The government says Butler claimed responsibility for at least two swatting attacks targeting Ben Brundage, founder of the security firm Synthient, which had helped to patch a critical weakness exploited by Kimwolf. Brundage told KrebsOnSecurity he is relieved Butler is in custody: "Hopefully this will end the harassment," he said.

The DOJ statement also notes that some of Kimwolf’s assaults affected Internet address ranges for the Department of Defense, prompting an investigation by the Defense Criminal Investigative Service with assistance from the FBI field office in Anchorage.

Investigation and international takedowns

Investigators moved against Kimwolf's infrastructure in coordinated actions this spring. On March 19 U.S. authorities, working with international partners, seized technical infrastructure for Kimwolf and three other large DDoS botnets named Aisuru, JackSkid and Mossad — botnets that investigators said had been competing for the same pool of vulnerable devices. In April the Justice Department joined authorities across Europe in seizing domain names tied to nearly four dozen DDoS‑for‑hire services; because of a bureaucratic mix‑up the list of seized domains remained sealed until the DOJ's May 22 announcement. The DOJ said at least one of those seized services collaborated with Butler’s Kimwolf botnet.

Evidence cited in the complaint and the March search

The criminal complaint says investigators tied Butler to the administration of Kimwolf through IP address records, online account information, transaction records and messaging application records obtained via legal process. The complaint alleges Butler made little effort to separate his real‑life identity from his cybercriminal persona — a fact KrebsOnSecurity highlighted when it publicly unmasked "Dort" in February.

Ontario Provincial Police executed a search warrant at Butler’s Ottawa address on March 19 and seized multiple devices, the police said. The DOJ said the complaint contains an excerpt alleging Butler ordered a swatting attack against Synthient’s founder; the government also alleges Kimwolf issued tens of thousands of attack commands and was responsible for record volumes of DDoS traffic.

How the Department of Defense, security researchers, and victims are positioned

  • Department of Defense and federal investigators: The DoD's investigative arm, the Defense Criminal Investigative Service, is involved and working with the FBI field office in Anchorage. Those agencies will be watching the criminal case and forensic follow‑up, particularly given reported impacts to DoD address ranges and the botnet’s record traffic volume.
  • Security researchers and firms (Synthient): Firms that identified and helped mitigate the vulnerability Kimwolf exploited are directly implicated in the harassment and swatting campaigns. Synthient’s founder expressed relief at the arrest; researchers who assisted in the unmasking will likely be engaged in any ongoing attribution and remediation work tied to seized infrastructure.
  • Victims and service providers: The complaint ties Kimwolf to financial losses for some victims that exceeded one million dollars and to commerce in rented infected systems. Companies and service providers that supply or manage IoT devices — particularly those traditionally firewalled from the open Internet, like digital photo frames and cameras — will be watching remediation, notification and recovery efforts arising from the takedowns.

The arrest caps months of investigation and a public unmasking that began in February, but it also leaves concrete legal steps ahead: Butler faces parallel criminal processes in Canada and the United States, potential extradition proceedings, and an unfolding forensic accounting of damage tied to the botnet’s unprecedented traffic. For now, investigators can point to seized infrastructure, an unsealed complaint, and a detained suspect; the longer arc — prosecutions, restitution, and the technical clean‑up for millions of infected devices — remains to be resolved.

Source: KrebsOnSecurity — “Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada”