Skip to content

US and Canada Arrest Operator of KimWolf Botnet

Bottom Line: Canadian man arrested and charged with operating the KimWolf DDoS botnet. The botnet infected nearly two million devices and caused millions in damages. US authorities additionally seized 45 DDoS platforms, thereby disrupting substantial portions of cybercrime infrastructure.

US and Canadian authorities have arrested and charged a Canadian man who allegedly operated the KimWolf botnet. The 23-year-old Jacob Butler distributed distributed denial-of-service malware on nearly two million devices worldwide.

US and Canadian authorities have arrested and charged a Canadian man accused of operating the KimWolf DDoS botnet, which infected nearly two million devices worldwide. The 23-year-old Jacob Butler, known online as “Dort,” was arrested on Wednesday by Canadian authorities in Ottawa following an extradition warrant. According to an indictment revealed in court in Alaska on Thursday, Butler was investigated based on IP address data, online account information, transaction records, and message logs that uncovered his connection to the KimWolf botnet.nnButler now faces extradition to the United States and is charged with aiding and abetting computer intrusions, which carries a maximum penalty of ten years imprisonment. KimWolf operated a DDoS-as-a-Service business model and was used by cybercriminals to conduct attacks with power up to 30 terabits per second – the largest publicly known DDoS attack at that time. Butler sold access to a massive network of more than 25,000 compromised systems, including digital photo frames, webcams, Android TV boxes, and streaming devices.nnThe botnet was deployed in over 25,000 attacks on computers and servers worldwide, including targets of the US Department of Defense, and caused financial losses exceeding one million dollars for individual victims. The cybersecurity company Synthient tracked KimWolf’s rapid growth and recorded nearly two million infected Android devices in January. The botnet generated approximately twelve million unique IP addresses weekly.nnFurthermore, US authorities seized 45 DDoS-for-hire platforms, including at least one that collaborated with KimWolf’s botnet. The arrest follows an international operation from March 2026 in which US, German, and Canadian authorities seized the command and control infrastructure of KimWolf and three related botnets that had infected over three million IoT devices in total.

Share on: