Canadian Man Arrested for Operating KimWolf DDoS Botnet Hacking 2 Million Devices
Cybersecurity NewsArchived May 22, 2026✓ Full text saved
Canadian and U.S. authorities have arrested and charged a 23‑year‑old Ottawa resident for allegedly operating “KimWolf,” a massive Internet‑of‑Things (IoT) DDoS‑for‑hire botnet that weaponized more than a million connected devices worldwide, including systems in Alaska and on the U.S. Department of Defense Information Network (DoDIN). According to an unsealed criminal complaint in the District of […] The post Canadian Man Arrested for Operating KimWolf DDoS Botnet Hacking 2 Million Devices appea
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
Canadian Man Arrested for Operating KimWolf DDoS Botnet Hacking 2 Million Devices
By Guru Baran
May 22, 2026
Canadian and U.S. authorities have arrested and charged a 23‑year‑old Ottawa resident for allegedly operating “KimWolf,” a massive Internet‑of‑Things (IoT) DDoS‑for‑hire botnet that weaponized more than a million connected devices worldwide, including systems in Alaska and on the U.S. Department of Defense Information Network (DoDIN).
According to an unsealed criminal complaint in the District of Alaska, Jacob Butler, also known by the alias “Dort,” is accused of developing and administering the KimWolf botnet as part of a DDoS‑as‑a‑service operation that rented out attack capacity to other cybercriminals.
KimWolf allegedly compromised traditionally firewalled consumer and small‑office devices such as digital photo frames and webcams, covertly enrolling them into a globally distributed attack infrastructure.
Investigators say the botnet was used to launch high‑volume distributed denial‑of‑service campaigns against targets around the world, including DoDIN‑associated IP ranges.
KimWolf is linked to DDoS attacks peaking at nearly 30 Tbps, placing it among the largest recorded volumetric events to date and driving losses that, for some victims, exceeded one million dollars.
Global takedown and Infrastructure seizures
Butler was arrested in Ottawa pursuant to a U.S. extradition warrant after coordinated action involving the U.S. Department of Justice, the Defense Criminal Investigative Service (DCIS), and Canadian law enforcement partners.
He now faces one count of aiding and abetting computer intrusion in the United States, carrying a maximum penalty of 10 years in prison upon conviction, with sentencing to be determined under the U.S. Sentencing Guidelines.
The arrest follows a broader March 2026 court‑authorized operation that disrupted several high‑impact IoT DDoS botnets, including Aisuru, KimWolf, JackSkid, and Mossad, by seizing their command‑and‑control (C2) infrastructure.
In a parallel action, the Central District of California unsealed seizure warrants against 45 DDoS‑for‑hire platforms alleged to support or collaborate with services like KimWolf. Authorities seized domains and redirected them to a law‑enforcement “splash page” that warns visitors about the illegality of DDoS attacks and booter services.
According to court filings, investigators tied Butler to KimWolf’s administration through a combination of IP address evidence, online account records, payment and transaction trails, and logs from encrypted messaging platforms obtained under legal process.
This evidentiary picture reportedly links his online persona “Dort” to the botnet’s core operational infrastructure and customer‑facing DDoS‑for‑hire activity.
The operation drew on extensive public‑private collaboration, with contributions from a wide range of technology, hosting, security, and networking providers. Their telemetry, abuse handling, and infrastructure intelligence were instrumental in mapping KimWolf’s ecosystem, identifying C2 nodes, and supporting coordinated seizures and sinkholing actions.
Butler remains in custody in Canada while U.S. prosecutors, led by the U.S. Attorney’s Office for the District of Alaska and supported by DCIS and the FBI Anchorage Field Office, pursue extradition and further proceedings in the ongoing KimWolf case.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Critical SEPPmail Gateway Flaws Allow Remote Code Execution and Mail Traffic Theft
Hackers Hijacking Four-Faith Industrial Routers for Botnet Activity
Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data
Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections
Grafana Labs Security Breach – Hackers Access GitHub and Download Codebase
Latest News
Cyber Security News
Splunk Patches Multiple Vulnerabilities that Enable DOS Attacks and Expose Sensitive Data
Cyber Security News
CISA Warns of Trend Micro Apex One Vulnerability Exploited in Attacks
Cyber Security News
FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA
Cyber Security News
Hackers Use Hugging Face to Host Second-Stage Malware for npm Supply Chain Attack
Cyber Security News
Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users