More than 2 million Android TV devices were taken over by a variant of the Aisuru botnet that evolved into Kimwolf, prosecutors say — a spread so broad that investigators describe the code as one of the most far-reaching distributed‑denial‑of‑service (DDoS) botnets on record.
Arrest, charges, and extradition proceedings
Authorities arrested Jacob Butler, 23, in Ottawa, Canada, on Wednesday and unsealed charges in the United States that accuse him of aiding and abetting computer intrusions, the Justice Department said. Butler, alleged to have also used the handle “Dort,” was identified by investigators as a principal administrator of Kimwolf. A criminal complaint was filed in the U.S. District Court for the District of Alaska in April and was unsealed following Butler’s arrest; if convicted, Butler faces up to 10 years in prison. The Canadian arrest sets in motion an extradition process to the United States.
Kimwolf’s scope: devices hijacked, attacks launched, and financial harm
Officials say Kimwolf was a DDoS‑for‑hire service that enabled other cybercriminals to launch attacks. Investigators tied Kimwolf — a variant of the record‑setting Aisuru botnet — to more than 25,000 individual attacks that caused network outages, operational disruptions and financial losses the authorities say exceed millions of dollars. In a broader sweep in March, authorities seized infrastructure used by Kimwolf alongside the Aisuru, JackSkid and Mossad botnets; collectively those botnets had hijacked roughly three million devices and carried out over 300,000 DDoS attacks, according to officials.
Evidence cited in the affidavit: overlapping IPs, Discord, and email accounts
A special agent with the Defense Criminal Investigative Service linked Butler to Kimwolf in part by tracing shared IP usage. The agent reported that Butler used the same IP address to access multiple email accounts in his name and Discord accounts associated with Kimwolf. In the agent’s affidavit: “I have observed significant operational security lapses on Butler’s part resulting in patterns of overlapping IP usage among a Google account in Butler’s true name, other Google accounts that I believe to be controlled by Butler due to use of the same machine cookies, and Discord accounts which have been used in support of the KimWolf operation.”
The affidavit further describes overlapping IP usage between the Discord accounts and the Kimwolf backend server, and notes that the IP addresses appeared to be proxy or VPN IPs “which were likely used by Butler in an unsuccessful attempt to evade law enforcement scrutiny.” The agent added that Butler “did not use proxy or VPN IP addresses exclusively,” a point investigators used to connect him to accounts and infrastructure linked to Kimwolf.
March takedowns, infrastructure seizures, and an apparent comeback
Law enforcement described the March actions — seizures of infrastructure supporting Kimwolf, Aisuru, JackSkid and Mossad — as a major disruption. Still, court records in the complaint indicate the Kimwolf botnet returned to operation after those seizures. Cybersecurity researcher Zach Edwards, staff threat researcher at Infoblox, told CyberScoop that “Kimwolf and the botnets associated with this operation have supported persistent corporate intrusion efforts and been used by a wide range of serious threat actors.” He warned that hundreds of millions of insecure IoT and network devices remain connected to sensitive networks and continue to be attractive targets for threat actors seeking to build successor botnets.
How the Department of Defense networks, security teams, and consumers are affected
- Department of Defense networks: Officials said they found evidence linking Kimwolf to DDoS attacks targeting Department of Defense Information Network IP addresses, placing military network operators among those who must account for ongoing DDoS risk and potential service impacts.
- Security teams and network operators: The takedown and the botnet’s return underline a practical reality described by Edwards: without addressing insecure endpoints at scale, defenders will repeatedly contend with new botnet iterations. Network operators will need to continue monitoring for DDoS traffic signatures tied to Kimwolf and related families and prioritize mitigation capacity.
- Consumers and device owners: The botnets exploited insecure IoT devices — in one case spreading across Android TV devices — demonstrating the downstream impact of poorly secured home and embedded devices on broader network stability and financial losses to affected organizations.
Authorities searched Butler’s residence during the globally coordinated operation in March but did not arrest him until roughly two months later, underscoring the length and coordination often required to translate cyber‑investigations into criminal charges. The affidavit and complaint form the public record tying Butler to operational artifacts and account access patterns investigators used to move the case forward.
Kimwolf’s reach — millions of coerced devices, tens of thousands of attacks and documented links to attacks on Department of Defense IP ranges — leaves a narrow but urgent question: can law enforcement takedowns and prosecutions, like Butler’s arrest, keep pace with botnet operators who rebuild and reconfigure their infrastructure? For now, officials have removed a person they allege was a principal administrator, but the technical and device‑level vulnerabilities that enabled success remain the point of persistent risk.




