23-Year-Old Canadian Charged in KimWolf Botnet Operation
Data Breach TodayArchived May 22, 2026✓ Full text saved
DOJ Says KimWolf Powered Massive DDoS-for-Hire Operations U.S. prosecutors charged a Canadian man accused of operating the KimWolf botnet, alleging the DDoS-for-hire platform compromised nearly two million IoT devices and powered attacks that reached record traffic volumes worldwide.
Full text archived locally
✦ AI Summary· Claude Sonnet
Cybercrime , Fraud Management & Cybercrime
23-Year-Old Canadian Charged in KimWolf Botnet Operation
DOJ Says KimWolf Powered Massive DDoS-for-Hire Operations
Chris Riotta (@chrisriotta) • May 22, 2026
Share Post Share
Credit Eligible
Get Permission
Image: Shutterstock
Police arrested a Canadian accused of operating the KimWolf botnet in Ottawa this week after U.S. prosecutors linked him to a massive DDoS-for-hire operation that infected nearly two million internet-connected devices worldwide.
See Also: Why Cyberattackers Love 'Living Off the Land'
Jacob Butler, 23, aka "Dort," was taken into custody Wednesday by Canadian authorities on an extradition warrant. Federal prosecutors in Alaska unsealed a criminal complaint naming him as the KimWolf administrator.
Prosecutors said KimWolf functioned as a criminal rental platform that allowed other threat actors to launch DDoS attacks using compromised devices. Authorities and security researchers estimate the botnet infected nearly two million systems globally, including devices located in Alaska and networks tied to the Defense Department.
The complaint outlines how investigators tied Butler to the botnet through Discord accounts, Google records, internet protocol addresses assigned by Bell Canada and backend server logs recovered from KimWolf infrastructure. The arrest follows an international law enforcement operation in March that disrupted infrastructure tied to KimWolf, Aisuru, JackSkid and Mossad - four major IoT botnets accused of launching hundreds of thousands of attacks worldwide (see: Aisuru, KimWolf Botnets Disrupted in International Operation).
KimWolf generated attack traffic approaching 30 terabits per second, which the DOJ described as a record observed in DDoS activity. One financial services company told investigators the attacks caused more than $4 million in losses.
Investigators said they identified repeated access to KimWolf systems from IP addresses later tied to Butler through Discord and Google account activity. Prosecutors said Butler sometimes used proxy and VPN services but failed to do so consistently, allowing investigators to correlate activity across multiple accounts and systems.
Butler committed "significant operational security lapses" by using the same IP address to access a Gmail account opened with Butler's true name and Discord accounts used to support the KimWolf operation, wrote Elliott Peterson in an affidavit. Peterson is a Defense Criminal Investigative Service agent with a long history of disrupting botnets (see: Feds Disrupt Top Stresser/Booter Services).
The complaint also accuses Butler of targeting a student researcher who had published information about KimWolf. Investigators said the researcher was later subjected to a false emergency call to police, commonly known as swatting.
Prosecutors said KimWolf compromised internet-connected cameras, streaming devices, TV boxes and digital photo frames - hardware commonly targeted by IoT malware operators because many systems remain exposed online long after compromise. Security researchers have warned that modern DDoS operations combine compromised IoT devices with residential proxy services, making malicious traffic more difficult to identify and block.
Butler is charged with one count of aiding and abetting computer intrusion and faces up to 10 years in prison if convicted.