By Nana Wu 
In a significant victory for international law enforcement and the cybersecurity community, a 23-year-old Ottawa man has been arrested on charges related to the creation and operation of Kimwolf, a formidable Internet-of-Things (IoT) botnet responsible for some of the largest distributed denial-of-service (DDoS) attacks in history.
Jacob Butler, known in clandestine digital circles by the handle “Dort,” was taken into custody by the Ontario Provincial Police (OPP) this week pursuant to a U.S. extradition warrant. The arrest marks the culmination of a high-stakes, months-long investigation involving the U.S. Department of Justice (DOJ), the FBI, and multiple international partners. Butler now faces a barrage of criminal hacking charges in both Canada and the United States, effectively ending a reign of digital terror that saw millions of devices enslaved to launch record-breaking cyber assaults.
The Architect of Chaos: Who is Jacob Butler?
For months, the figure behind the moniker “Dort” operated with a sense of impunity, leveraging a sprawling network of compromised hardware to terrorize private companies, researchers, and even government infrastructure. According to investigators, Butler’s operation, Kimwolf, was uniquely efficient. It did not merely target standard servers; it specifically sought out “firewalled” devices—often overlooked hardware like digital photo frames, smart cameras, and home automation systems that users erroneously assumed were safe behind home routers.
The investigation into Butler was bolstered significantly by the investigative work of KrebsOnSecurity, which publicly unmasked his identity in February 2026. By meticulously cross-referencing email addresses, forum registrations, and public activity on Telegram and Discord, investigators painted a portrait of a suspect who, despite his technical prowess, failed to adequately separate his real-life identity from his malicious digital persona.
However, unmasking Butler did not stop him. In a retaliatory display of aggression, “Dort” launched a series of swatting and doxing campaigns against security researchers and journalists, including the author of this report. These attempts to silence his detractors ultimately provided law enforcement with additional evidence of his criminal intent and malicious behavior.
A Chronology of the Kimwolf Reign
The rise and fall of Kimwolf serves as a cautionary tale of how rapidly a threat actor can scale their influence in the modern cyber-ecosystem.
- Late 2025: Kimwolf begins infecting millions of IoT devices globally. The botnet’s ability to breach firewalled systems allows it to grow at an unprecedented rate, out-competing rival botnets like Aisuru, JackSkid, and Mossad.
- January 2026: Security firm Synthient discovers a critical vulnerability that Kimwolf is exploiting to maintain its persistence. Their work to patch this vulnerability makes them a primary target for Butler’s harassment.
- February 28, 2026: KrebsOnSecurity publishes evidence linking “Dort” to the Kimwolf botnet, detailing his online footprints.
- March 19, 2026: International law enforcement executes a coordinated operation. The OPP raids Butler’s Ottawa residence, seizing digital evidence, while U.S. authorities simultaneously disrupt the technical infrastructure underpinning Kimwolf and three other major botnets.
- April 2026: The DOJ and European partners execute a secondary operation, seizing dozens of domain names associated with “DDoS-for-hire” services, at least one of which was found to be collaborating with Butler.
- May 2026: Following extensive legal processing, the criminal complaint against Butler is unsealed in the District of Alaska, leading to his formal arrest and the commencement of extradition proceedings.
The Technical Scope: Record-Smashing Destruction
The sheer scale of the Kimwolf botnet distinguishes it from the run-of-the-mill malware operations that plague the internet. The U.S. Department of Justice has confirmed that Kimwolf was responsible for DDoS attacks reaching an staggering 30 Terabits per second (Tbps)—a new, grim record for attack volume.
The damage caused by these attacks was both financial and systemic. The botnet was not only rented out to other cybercriminals as a service but was also used to assault IP address ranges belonging to the U.S. Department of Defense (DoD). This involvement triggered an investigation by the Defense Criminal Investigative Service (DCIS), underscoring the severity of the threat posed to national security.
The DOJ noted that Kimwolf issued over 25,000 unique attack commands, resulting in financial losses for some victims that exceeded $1 million per incident. The botnet effectively turned mundane household electronics into a global weaponized network capable of crippling high-traffic websites and critical infrastructure.
Official Responses and the Role of Private Industry
The apprehension of Butler represents a landmark collaboration between public and private sectors. The DOJ explicitly thanked several technology companies for their assistance in tracking the botnet’s movements and identifying the vulnerabilities that fueled its growth.
Ben Brundage, the founder of Synthient, was a frequent target of Butler’s swatting attacks—a dangerous practice where criminals report fake emergencies to police to trigger armed responses at a victim’s home. Speaking on the arrest, Brundage expressed relief that the harassment campaign appears to be at an end. “Hopefully this will end the harassment,” Brundage stated.
The Ontario Provincial Police have confirmed that the raid on Butler’s home yielded a trove of evidence, including multiple devices that are currently undergoing forensic analysis. In the Canadian court system, Butler has been charged with unauthorized use of a computer, possession of devices for unauthorized use, and mischief in relation to computer data. He is scheduled to remain in custody until at least May 26.
Implications: The Future of IoT Security
The Kimwolf case highlights two critical issues in the current cybersecurity landscape: the extreme vulnerability of IoT devices and the ongoing evolution of “DDoS-for-hire” services.
The IoT Weakness
The fact that a 23-year-old could orchestrate a 30 Tbps attack using consumer-grade photo frames and cameras is a wake-up call for the manufacturing sector. These devices are often sold with weak default credentials and lack the capability for automated security updates. As the “Internet of Things” continues to expand, the risk of these devices being hijacked to form massive, automated armies remains a primary concern for cybersecurity professionals.
The Professionalization of Cybercrime
Butler’s operation was not an isolated incident; it was part of a larger ecosystem of competing botnets. The simultaneous takedown of Kimwolf, Aisuru, JackSkid, and Mossad demonstrates that the market for DDoS-for-hire services is highly competitive and well-funded. By dismantling the command-and-control infrastructure of these networks, law enforcement is attempting to break the business model of cybercrime.
Legal Consequences
If Butler is extradited to the United States, he faces one count of aiding and abetting computer intrusion. While the maximum sentence is 10 years, legal analysts suggest the final outcome will likely be dictated by U.S. Sentencing Guidelines. Factors such as his age, his lack of prior criminal history, and his level of cooperation with federal investigators will play a decisive role in the judge’s final ruling.
As the legal process begins, the arrest of “Dort” serves as a stark reminder to those operating in the shadows of the internet: digital anonymity is a fragile veneer. Through a combination of persistent investigation, international cooperation, and the assistance of the private sector, the entities behind the world’s most dangerous botnets are increasingly being brought into the light—and the courtroom.
Layla Zulfa 
Ali Ikhwan 