U.S. and Canadian Authorities Arrest Suspected KimWolf Botnet Administrator

U.S. and Canadian law enforcement authorities have arrested and charged a Canadian man accused of operating the KimWolf distributed denial-of-service botnet, a large-scale cybercrime network that allegedly infected nearly two million devices worldwide.

Jacob Butler, 23, also known online as “Dort,” was arrested Wednesday in Ottawa by Canadian authorities under an extradition warrant. He is currently awaiting extradition to the United States.

According to a criminal complaint unsealed Thursday in the District of Alaska, investigators linked Butler to the KimWolf botnet through IP address data, online account records, transaction information, and messaging records.

Butler faces one count of aiding and abetting computer intrusions. If convicted, he could face up to 10 years in prison.

Court documents allege that KimWolf operated as a DDoS-for-hire service, allowing cybercriminals to pay for access to a massive network of compromised devices. The botnet reportedly included infected digital photo frames, web cameras, Android-based TV boxes, streaming devices, and other internet-connected systems.

Authorities say KimWolf was used in more than 25,000 attacks against computers and servers around the world, including Department of Defense Information Network IP addresses. Some victims allegedly suffered financial losses exceeding $1 million.

At its peak, KimWolf was reportedly capable of launching attacks approaching 30 terabits per second, which was described as the largest publicly disclosed DDoS attack at the time.

Cybersecurity researchers at Synthient, who tracked the botnet’s rapid growth, reported in January that KimWolf expanded to nearly two million compromised devices. The researchers said many infections involved Android devices and vulnerabilities tied to residential proxy networks, with the botnet generating roughly 12 million unique IP addresses each week.

In a related action, the Central District of California unsealed seizure warrants targeting 45 DDoS-for-hire platforms. The Justice Department said the seizures disrupted several services, including at least one platform that worked with the KimWolf botnet. U.S. authorities also seized domain records tied to the services and redirected visitors to warning pages stating that DDoS-for-hire services are illegal.

Butler’s arrest follows a March 2026 international operation involving U.S., German, and Canadian authorities. That operation targeted command-and-control infrastructure used by KimWolf and three related botnets: Aisuru, JackSkid, and Mossad. According to the Justice Department, the four botnets collectively infected more than three million IoT devices, including web cameras, digital video recorders, and Wi-Fi routers.