CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

23-Year-Old Canadian Charged in KimWolf Botnet Operation

Data Breach Today Archived May 22, 2026 ✓ Full text saved

DOJ Says KimWolf Powered Massive DDoS-for-Hire Operations U.S. prosecutors charged a Canadian man accused of operating the KimWolf botnet, alleging the DDoS-for-hire platform compromised nearly two million IoT devices and powered attacks that reached record traffic volumes worldwide.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Cybercrime , Fraud Management & Cybercrime 23-Year-Old Canadian Charged in KimWolf Botnet Operation DOJ Says KimWolf Powered Massive DDoS-for-Hire Operations Chris Riotta (@chrisriotta) • May 22, 2026     Share Post Share Credit Eligible Get Permission Image: Shutterstock Police arrested a Canadian accused of operating the KimWolf botnet in Ottawa this week after U.S. prosecutors linked him to a massive DDoS-for-hire operation that infected nearly two million internet-connected devices worldwide. See Also: Why Cyberattackers Love 'Living Off the Land' Jacob Butler, 23, aka "Dort," was taken into custody Wednesday by Canadian authorities on an extradition warrant. Federal prosecutors in Alaska unsealed a criminal complaint naming him as the KimWolf administrator. Prosecutors said KimWolf functioned as a criminal rental platform that allowed other threat actors to launch DDoS attacks using compromised devices. Authorities and security researchers estimate the botnet infected nearly two million systems globally, including devices located in Alaska and networks tied to the Defense Department. The complaint outlines how investigators tied Butler to the botnet through Discord accounts, Google records, internet protocol addresses assigned by Bell Canada and backend server logs recovered from KimWolf infrastructure. The arrest follows an international law enforcement operation in March that disrupted infrastructure tied to KimWolf, Aisuru, JackSkid and Mossad - four major IoT botnets accused of launching hundreds of thousands of attacks worldwide (see: Aisuru, KimWolf Botnets Disrupted in International Operation). KimWolf generated attack traffic approaching 30 terabits per second, which the DOJ described as a record observed in DDoS activity. One financial services company told investigators the attacks caused more than $4 million in losses. Investigators said they identified repeated access to KimWolf systems from IP addresses later tied to Butler through Discord and Google account activity. Prosecutors said Butler sometimes used proxy and VPN services but failed to do so consistently, allowing investigators to correlate activity across multiple accounts and systems. Butler committed "significant operational security lapses" by using the same IP address to access a Gmail account opened with Butler's true name and Discord accounts used to support the KimWolf operation, wrote Elliott Peterson in an affidavit. Peterson is a Defense Criminal Investigative Service agent with a long history of disrupting botnets (see: Feds Disrupt Top Stresser/Booter Services). The complaint also accuses Butler of targeting a student researcher who had published information about KimWolf. Investigators said the researcher was later subjected to a false emergency call to police, commonly known as swatting. Prosecutors said KimWolf compromised internet-connected cameras, streaming devices, TV boxes and digital photo frames - hardware commonly targeted by IoT malware operators because many systems remain exposed online long after compromise. Security researchers have warned that modern DDoS operations combine compromised IoT devices with residential proxy services, making malicious traffic more difficult to identify and block. Butler is charged with one count of aiding and abetting computer intrusion and faces up to 10 years in prison if convicted.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗