CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

Canadian Man Arrested for Operating KimWolf DDoS Botnet Hacking 2 Million Devices

Cybersecurity News Archived May 22, 2026 ✓ Full text saved

Canadian and U.S. authorities have arrested and charged a 23‑year‑old Ottawa resident for allegedly operating “KimWolf,” a massive Internet‑of‑Things (IoT) DDoS‑for‑hire botnet that weaponized more than a million connected devices worldwide, including systems in Alaska and on the U.S. Department of Defense Information Network (DoDIN). According to an unsealed criminal complaint in the District of […] The post Canadian Man Arrested for Operating KimWolf DDoS Botnet Hacking 2 Million Devices appea

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Canadian Man Arrested for Operating KimWolf DDoS Botnet Hacking 2 Million Devices By Guru Baran May 22, 2026 Canadian and U.S. authorities have arrested and charged a 23‑year‑old Ottawa resident for allegedly operating “KimWolf,” a massive Internet‑of‑Things (IoT) DDoS‑for‑hire botnet that weaponized more than a million connected devices worldwide, including systems in Alaska and on the U.S. Department of Defense Information Network (DoDIN). According to an unsealed criminal complaint in the District of Alaska, Jacob Butler, also known by the alias “Dort,” is accused of developing and administering the KimWolf botnet as part of a DDoS‑as‑a‑service operation that rented out attack capacity to other cybercriminals. KimWolf allegedly compromised traditionally firewalled consumer and small‑office devices such as digital photo frames and webcams, covertly enrolling them into a globally distributed attack infrastructure. Investigators say the botnet was used to launch high‑volume distributed denial‑of‑service campaigns against targets around the world, including DoDIN‑associated IP ranges. KimWolf is linked to DDoS attacks peaking at nearly 30 Tbps, placing it among the largest recorded volumetric events to date and driving losses that, for some victims, exceeded one million dollars. Global takedown and Infrastructure seizures Butler was arrested in Ottawa pursuant to a U.S. extradition warrant after coordinated action involving the U.S. Department of Justice, the Defense Criminal Investigative Service (DCIS), and Canadian law enforcement partners. He now faces one count of aiding and abetting computer intrusion in the United States, carrying a maximum penalty of 10 years in prison upon conviction, with sentencing to be determined under the U.S. Sentencing Guidelines. The arrest follows a broader March 2026 court‑authorized operation that disrupted several high‑impact IoT DDoS botnets, including Aisuru, KimWolf, JackSkid, and Mossad, by seizing their command‑and‑control (C2) infrastructure. In a parallel action, the Central District of California unsealed seizure warrants against 45 DDoS‑for‑hire platforms alleged to support or collaborate with services like KimWolf. Authorities seized domains and redirected them to a law‑enforcement “splash page” that warns visitors about the illegality of DDoS attacks and booter services. According to court filings, investigators tied Butler to KimWolf’s administration through a combination of IP address evidence, online account records, payment and transaction trails, and logs from encrypted messaging platforms obtained under legal process. This evidentiary picture reportedly links his online persona “Dort” to the botnet’s core operational infrastructure and customer‑facing DDoS‑for‑hire activity. The operation drew on extensive public‑private collaboration, with contributions from a wide range of technology, hosting, security, and networking providers. Their telemetry, abuse handling, and infrastructure intelligence were instrumental in mapping KimWolf’s ecosystem, identifying C2 nodes, and supporting coordinated seizures and sinkholing actions. Butler remains in custody in Canada while U.S. prosecutors, led by the U.S. Attorney’s Office for the District of Alaska and supported by DCIS and the FBI Anchorage Field Office, pursue extradition and further proceedings in the ongoing KimWolf case. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Critical SEPPmail Gateway Flaws Allow Remote Code Execution and Mail Traffic Theft Hackers Hijacking Four-Faith Industrial Routers for Botnet Activity Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data Gremlin Stealer Stores C2 URLs and Exfiltration Paths in Encrypted Resource Sections Grafana Labs Security Breach – Hackers Access GitHub and Download Codebase Latest News Cyber Security News Splunk Patches Multiple Vulnerabilities that Enable DOS Attacks and Expose Sensitive Data Cyber Security News CISA Warns of Trend Micro Apex One Vulnerability Exploited in Attacks Cyber Security News FBI Warns of Kali365 Attacking Microsoft 365 Users to Steal Logins and Bypass MFA Cyber Security News Hackers Use Hugging Face to Host Second-Stage Malware for npm Supply Chain Attack Cyber Security News Google Publishes Exploit Code for Unfixed Chromium Bug Exposing Millions of Users
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗