U.S. and Canadian authorities arrested and charged a Canadian man with operating the KimWolf distributed denial-of-service (DDoS) botnet, which infected nearly two million devices worldwide.
23-year-old Jacob Butler (also known online as “Dort”) was arrested by Canadian authorities in Ottawa on Wednesday pursuant to an extradition warrant.
According to a criminal complaint unsealed on Thursday in the District of Alaska, Butler was taken into custody based on IP address and online account information, transaction records, and online messaging records that exposed his links to the KimWolf botnet.
Butler now awaits extradition to the U.S. and is facing one count of aiding and abetting computer intrusions, which carries a maximum sentence of 10 years in prison.
As detailed in court documents, KimWolf operated as a DDoS-for-hire service and was used by cybercriminals to launch attacks reaching nearly 30 terabits per second, the largest DDoS attack publicly disclosed at the time.
Using a cybercrime-as-a-service model, Butler sold access to a massive network of compromised enslaved systems (ranging from digital photo frames and web cameras to Android-based TV boxes and streaming devices).
The botnet was used in more than 25,000 attacks targeting computers and servers worldwide (including Department of Defense Information Network IP addresses) and caused financial losses exceeding $1 million for some victims.
Researchers at cybersecurity firm Synthient, who have been tracking KimWolf’s rapid expansion, noted in January that KimWolf grew to almost 2 million after compromising Android devices in attacks exploiting vulnerabilities in residential proxy networks, and that it generated approximately 12 million unique IP addresses each week.
Separately, the Central District of California unsealed seizure warrants targeting 45 DDoS-for-hire platforms, which disrupted multiple DDoS platforms, including at least one that collaborated with the KimWolf botnet.
“These seizures broadly disrupted the DDoS platforms, including at least one that collaborated with Butler’s KimWolf botnet,” the Justice Department said yesterday.
“U.S. authorities also seized domain records associated with many of these services, redirecting them to an authorized ‘splash page,’ which displays a warning to potential visitors that DDoS services are illegal.”
Butler’s arrest follows a March 2026 international operation in which U.S., German, and Canadian authorities seized command-and-control infrastructure used by KimWolf and three related botnets (Aisuru, JackSkid, and Mossad), which collectively infected over 3 million IoT devices.
As the U.S. Justice Department said at the time, the four botnets collectively infected more than 3 million IoT devices, including web cameras, digital video recorders, and Wi-Fi routers, many of them in the United States.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
