Skip to main content
Emerging ThreatsMalware & Ransomware

Canada Arrests Kimwolf DDoS Botnet Operator in US-Led Crackdown

"Kimwolf targeted infected devices which were traditionally 'firewalled' from the rest of the internet, such as digital photo frames and web cameras," the U.S. Department of Justice said Thursday.

Jacob Butler (aka "Dort"): arrest and federal charge

The Department of Justice announced the arrest of a 23‑year‑old Canadian man, Jacob Butler of Ottawa, who is charged in connection with the development and operation of a distributed denial-of-service (DDoS) botnet known as Kimwolf. Court documents tie Butler to administration of Kimwolf through an IP address, online account information, and Discord message records posted by an account identified as resi[.]to. Butler has been charged with one count of aiding and abetting computer intrusion; if convicted he faces up to 10 years in prison.

Kimwolf as a variant of AISURU and its operational profile

The DoJ assessed Kimwolf to be a variant of AISURU. According to the department, operators of the botnet infected devices that were often "firewalled" from the wider internet—specifically naming digital photo frames and web cameras—and then "enslaved" those devices to perform attacks. The operators used a "cybercrime-as-a-service" model, selling access to the pool of infected devices to other cybercriminals and directing those compromised endpoints to participate in DDoS attacks against computers and servers worldwide, including IP addresses on the Department of Defense Information Network (DoDIN).

Scale of attacks and prior public reporting

Per the DoJ, Kimwolf is estimated to have issued more than 25,000 attack commands. Before law enforcement disrupted the infrastructure, the combined AISURU/Kimwolf campaigns were among those tied to record-setting DDoS activity, with flood traffic peaking at 31.4 terabits per second (Tbps). Independent security journalist Brian Krebs first exposed Butler's alleged connection to Kimwolf in February; at that time the defendant told Krebs he had not used the "Dort" persona since 2021 and claimed another party was impersonating him after compromising his old account.

International disruption, seizure warrants, and the DDoS‑for‑hire ecosystem

The charges against Butler come roughly two months after U.S. authorities, in partnership with Canada and Germany, executed a court-authorized operation that disrupted the command-and-control infrastructure tied to Kimwolf, AISURU, JackSkid, and Mossad. Following that operation, seizure warrants were unsealed that targeted online services supporting 45 DDoS‑for‑hire platforms—action the DoJ said enabled law enforcement to dismantle those platforms. The DoJ also stated that one of the seized platforms had collaborated with Kimwolf.

What this means for DoDIN defenders, international law enforcement, and security researchers

  • DoDIN defenders and network operators: the public disclosure that Kimwolf targeted DoDIN IP addresses underscores an immediate need to confirm whether compromised endpoints remain active on internal or perimeter networks and to hunt for the distinctive indicators tied to AISURU/Kimwolf attack commands.
  • International law enforcement partners: the coordinated disruption involving the United States, Canada, and Germany demonstrates cross‑border court‑authorized action against shared C2 infrastructure and the use of seizure warrants against ancillary online services; further cooperation and follow‑through in prosecutions will be necessary to convert disruption into sustained reduction of the DDoS‑for‑hire ecosystem.
  • Security researchers and incident responders: the attribution of Kimwolf as an AISURU variant and the public estimate of over 25,000 issued attack commands (and a 31.4 Tbps peak) provide concrete data points for network modeling, signature development, and post‑incident forensic comparisons with other high‑throughput DDoS campaigns.

The legal and technical follow‑through will determine whether the takedown and the single criminal charge produce a lasting dent in the botnet's operators and customers. For now, the DoJ has laid out the mechanics—device enslavement, a pay‑for‑access model, and a global targeting footprint including DoDIN—and a single defendant has been brought to court; the outcome of the prosecution and any additional enforcement actions tied to the 45 seized services remain the next observable steps.

https://thehackernews.com/2026/05/kimwolf-ddos-botnet-operator-arrested.html