The Fall of ‘Dort’: Inside the Collapse of the Kimwolf Botnet Empire

In a sweeping international law enforcement operation, Canadian authorities have apprehended a 23-year-old Ottawa man accused of masterminding "Kimwolf," a massive Internet-of-Things (IoT) botnet responsible for record-shattering distributed denial-of-service (DDoS) attacks. The arrest marks a significant victory in the ongoing global war against cybercriminals who weaponize everyday household devices to cripple critical infrastructure and terrorize private citizens.

Jacob Butler, who operated under the alias "Dort," is now facing criminal charges in both Canada and the United States. His arrest follows a grueling months-long investigation involving the Ontario Provincial Police (OPP), the U.S. Department of Justice (DOJ), the FBI, and the Department of Defense (DoD). Butler, who allegedly treated his criminal enterprise as a full-time occupation, now sits in Canadian custody, awaiting extradition proceedings that could see him serve significant time in an American federal prison.

The Architecture of Chaos: What was Kimwolf?

Kimwolf was not merely another botnet; it was a sophisticated, self-propagating engine of digital disruption. By exploiting critical vulnerabilities in devices often overlooked by consumers—such as high-end digital photo frames, smart cameras, and internet-connected home appliances—Butler created a "zombie" network of millions of enslaved devices.

These devices, typically sequestered behind residential firewalls, were essentially invisible to their owners but served as powerful nodes in a global malicious network. Once infected, these systems were either leveraged by Butler to launch his own massive DDoS campaigns or leased out to other cybercriminals through a "DDoS-for-hire" model. The scale of the operation was unprecedented, with the DOJ confirming that Kimwolf-orchestrated attacks reached a staggering 30 Terabits per second—a volume of traffic capable of overwhelming even the most robust enterprise-grade internet protections.

A Chronology of Crime and Capture

The unraveling of Butler’s digital empire was a slow burn that culminated in a rapid, coordinated takedown.

The Rise and Harassment

Throughout late 2025 and early 2026, the Kimwolf botnet began its aggressive expansion. During this period, "Dort" demonstrated a penchant for volatility, transitioning from a back-end botnet administrator to a public antagonist. He targeted security researchers and journalists, including the author of this report, using a combination of DDoS attacks, doxing, and, most alarmingly, "swatting"—the act of making a false report to emergency services to incite a heavily armed police response at a victim’s home.

The Investigative Turning Point

In February 2026, investigative work began to peel back the layers of Butler’s anonymity. By cross-referencing email addresses, forum registrations, and footprints left on Telegram and Discord, it became clear that "Dort" was operating from Ottawa. Despite his technical prowess in building a botnet, Butler exhibited poor operational security (OPSEC), failing to properly silo his real-world identity from his online persona.

The March Takedown

On March 19, the net tightened. Authorities in Canada executed a search warrant at Butler’s Ottawa residence, seizing a cache of computing hardware that served as the nerve center for his operations. Simultaneously, U.S. and international law enforcement seized the technical infrastructure powering Kimwolf and three other competing botnets: Aisuru, JackSkid, and Mossad. This coordinated strike effectively neutered the threat landscape, silencing the command-and-control servers that directed the millions of infected devices.

The Formal Charges

Following the seizure of his equipment, formal criminal complaints were unsealed in an Alaska district court. Butler was subsequently arrested by the Ontario Provincial Police pursuant to a U.S. extradition warrant. He is currently awaiting a court hearing, with his next appearance scheduled for late May.

Supporting Data: The Cost of the Kimwolf Era

The impact of the Kimwolf botnet extends far beyond mere internet latency. According to federal investigators, the botnet issued over 25,000 specific attack commands, targeting everything from private businesses to sensitive address ranges owned by the U.S. Department of Defense.

The financial toll has been equally severe. Several victims reported losses exceeding one million dollars per incident, as their online services were rendered unreachable by the relentless 30 Tbps floods of traffic. The sheer audacity of the attacks forced the Defense Criminal Investigative Service (DCIS) to join the investigation, elevating the case from a standard cybercrime to a matter of national security.

Official Responses and The Role of the Private Sector

The collapse of Kimwolf was a testament to the power of public-private partnerships. The Department of Justice explicitly thanked companies like Synthient, a security startup that played a pivotal role in identifying the vulnerability Kimwolf exploited to propagate.

Ben Brundage, the founder of Synthient, became a primary target of Butler’s ire after his team published research that effectively crippled the botnet’s spread. "Hopefully this will end the harassment," Brundage told reporters after the news of the arrest broke. For Brundage, the arrest is not just a win for cybersecurity—it is a restoration of personal safety after months of being stalked by a digital adversary.

In its official statement, the U.S. Department of Justice highlighted the complexity of the investigation: "The criminal complaint against Butler shows he did little to separate his real-life and cybercriminal identities. Through legal process, we obtained IP address logs, transaction records, and messaging application data that left little room for doubt."

Implications for the Future of IoT Security

The Kimwolf case serves as a grim cautionary tale regarding the insecurity of the "Internet of Things." As manufacturers continue to prioritize "time-to-market" over robust security, devices with hardcoded passwords and unpatchable firmware continue to populate the global ecosystem.

A Warning to "Script Kiddies"

Butler’s case also signals a shift in how law enforcement treats "swatting" and DDoS-for-hire administrators. By charging him with both computer intrusion and the associated physical harassment, the DOJ is signaling a zero-tolerance policy toward individuals who bridge the gap between digital criminality and real-world violence.

The Legal Road Ahead

In Canada, Butler faces charges of unauthorized use of a computer, possession of devices for unauthorized use, and mischief related to computer data. If extradited to the United States, he faces one count of aiding and abetting computer intrusion. While the maximum statutory penalty is ten years in federal prison, legal experts note that sentencing guidelines in the U.S. will likely take into account his age, his lack of prior criminal history, and his level of cooperation with federal authorities.

As the legal process plays out, the broader cybersecurity community remains vigilant. While Kimwolf is offline, the underlying vulnerabilities in IoT hardware remain. The arrest of Jacob Butler is a decisive blow against a dangerous actor, but the ease with which he built a multi-million-device botnet from his home in Ottawa serves as a stark reminder that the next "Dort" could be developing a new threat even now. For the time being, however, the digital landscape is a little quieter, and those targeted by the Kimwolf botnet can breathe a sigh of relief.