Canadian authorities have arrested Jacob Butler, a 23-year-old Ottawa man suspected of operating the Kimwolf IoT botnet responsible for record-breaking DDoS attacks. The suspect faces charges in both Canada and the United States for allegedly enslaving millions of devices and causing over $1 million in damages.
Canadian authorities have arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast-spreading Internet-of-Things botnet that enslaved millions of devices for use in massive distributed denial-of-service (DDoS) attacks over the past six months. Jacob Butler, also known online as "Dort," was arrested by the Ontario Provincial Police on Wednesday pursuant to a U.S. extradition warrant.
The arrest follows an international investigation that saw U.S. authorities, along with international partners, seize the technical infrastructure for Kimwolf and three other large DDoS botnets—Aisuru, JackSkid, and Mossad—in March 2026. The Department of Justice unsealed a criminal complaint against Butler in an Alaska district court, charging him with operating the Kimwolf DDoS botnet.
"KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume," the Justice Department statement reads. "These attacks resulted in financial losses which, for some victims, exceeded one million dollars. The KimWolf botnet is alleged to have issued over 25,000 attack commands."
The botnet specifically targeted infected devices that were traditionally "firewalled" from the rest of the internet, such as digital photo frames and web cameras. These compromised systems were then rented to other cybercriminals or forced to participate in record-smashing DDoS attacks, including assaults affecting Internet address ranges for the Department of Defense. Consequently, the DoD's Defense Criminal Investigative Service is investigating the case with assistance from the FBI field office in Anchorage.
KrebsOnSecurity publicly identified Butler as the Kimwolf botmaster in February 2026 after researchers traced his various email addresses, registrations on cybercrime forums, and posts to public Telegram and Discord servers. After being identified, Butler allegedly continued to threaten and harass researchers who helped track down his real-life identity and slow the spread of his botnet.
"He claimed responsibility for at least two swatting attacks targeting the founder of Synthient, a security startup that helped to secure a widespread critical security weakness that Kimwolf was using to spread faster and more effectively than any other IoT botnet out there," the article states.
Ben Brundage, founder of Synthient, expressed relief following Butler's arrest. "Hopefully this will end the harassment," Brundage said. Synthient was among many technology companies thanked by the Justice Department for their assistance in the investigation.
Investigators connected Butler to the administration of the KimWolf botnet through IP address information, online account details, transaction records, and messaging application records obtained through legal processes. The criminal complaint against Butler shows he did little to separate his real-life and cybercriminal identities.
In Canada, Butler faces charges including unauthorized use of computer; possession of device to obtain unauthorized use of computer system or to commit mischief; and mischief in relation to computer data. He is scheduled to remain in custody until a hearing on May 26. In the United States, he faces one count of aiding and abetting computer intrusion. If extradited, tried and convicted in a U.S. court, Butler could face up to 10 years in prison, though this maximum sentence would likely be tempered by considerations in the U.S. Sentencing Guidelines.
The case highlights the growing threat posed by IoT botnets, which continue to plague organizations and individuals worldwide. Security experts emphasize that basic security practices—such as changing default credentials, regularly updating firmware, and segmenting IoT devices from critical networks—can significantly reduce the risk of device compromise and participation in botnets.
The arrest also demonstrates the increasing effectiveness of international cooperation in combating cybercrime, with law enforcement agencies across multiple countries working together to disrupt large-scale criminal operations. The seizure of Kimwolf's infrastructure and the subsequent arrest of its alleged operator represent a significant victory in the ongoing fight against DDoS attacks and botnet operations.
Comments
Please log in or register to join the discussion