“KimWolf grew to almost 2 million” infected devices after exploiting vulnerabilities in residential proxy networks, researchers said — a scale that underpinned some of the largest distributed-denial-of-service (DDoS) attacks ever recorded.
Jacob Butler arrested in Ottawa and charged in U.S. court
Canadian authorities arrested 23-year-old Jacob Butler — who operated under the handle "Dort" online — in Ottawa on Wednesday pursuant to an extradition warrant. A criminal complaint unsealed Thursday in the District of Alaska says Butler was taken into custody based on IP address and online account information, transaction records, and online messaging records that investigators tied to the KimWolf botnet. Butler now awaits extradition to the United States and faces one count of aiding and abetting computer intrusions, a charge that carries a maximum sentence of 10 years in prison.
KimWolf's reach: devices, attack volume, and impact
Court documents and outside researchers describe KimWolf as a DDoS-for-hire service that sold access to a sprawling network of compromised systems — from digital photo frames and web cameras to Android-based TV boxes and streaming devices. According to the complaint and reporting, KimWolf was used in more than 25,000 attacks worldwide and was capable of launching assaults that reached nearly 30 terabits per second, “the largest DDoS attack publicly disclosed at the time.” Some victims reported financial losses exceeding $1 million, and the botnet at times targeted Department of Defense Information Network IP addresses.
Evidence of rapid expansion and technical footprint
Researchers at cybersecurity firm Synthient who tracked KimWolf reported in January that the botnet expanded rapidly by compromising Android devices and exploiting vulnerabilities in residential proxy networks. Synthient said KimWolf grew to almost 2 million infected devices and generated approximately 12 million unique IP addresses each week. The complaint cited by U.S. prosecutors references those patterns and links Butler to the cybercrime-as-a-service model used to monetize the network.
Coordinated legal actions and infrastructure seizures
Authorities in the United States and Canada did not act alone. The Central District of California unsealed seizure warrants targeting 45 DDoS-for-hire platforms, an action that disrupted multiple DDoS platforms, including at least one that collaborated with the KimWolf botnet. "These seizures broadly disrupted the DDoS platforms, including at least one that collaborated with Butler's KimWolf botnet," the Justice Department said. Separately, U.S., German, and Canadian authorities conducted a March 2026 operation that seized command-and-control infrastructure used by KimWolf and three related botnets — Aisuru, JackSkid, and Mossad — which the Justice Department previously said collectively infected more than 3 million Internet of Things devices, including web cameras, digital video recorders, and Wi‑Fi routers, many of them in the United States. U.S. authorities also seized domain records tied to many of the DDoS services and redirected them to an authorized "splash page" warning visitors that DDoS services are illegal.
What this means for technologists, policymakers, and affected organizations
- Technologists and security teams — Watch for exploitation of residential proxy networks and Android-based devices: Synthient’s analysis linked KimWolf’s growth to those specific vectors, and law enforcement actions focused on command-and-control infrastructure and domain records.
- Policymakers and extradition authorities — Coordinate cross-border seizure and extradition efforts: Canadian custody, an extradition warrant, and earlier operations with German partners demonstrate multi-jurisdictional enforcement tied to electronic service infrastructure.
- Affected enterprises and government networks — Prepare for large-scale DDoS fallout: KimWolf’s documented use in more than 25,000 attacks and the recorded nearly-30-terabit-per-second peak underline exposure for critical networks and the financial risk for victims (some reporting losses above $1 million).
Butler’s arrest and the broader set of seizures show law enforcement carving into the infrastructure supporting DDoS-for-hire operations, yet the public record in court filings and researcher notes leaves the immediate operational resilience of similar services an open question. For now, a defendant awaits extradition to face a single federal count in the District of Alaska, while seized domains and disrupted platforms are being used to warn would-be visitors that these services are illegal.




