Canadian authorities arrested Jacob Butler, 23, of Ottawa on Wednesday, alleging he built and operated the Kimwolf botnet, an Internet-of-Things (IoT) threat that compromised millions of devices and was used to launch some of the largest distributed denial-of-service (DDoS) attacks on record. Butler, known online as “Dort,” faces criminal charges in both Canada and the United States.

Criminal Charges and Botnet Activity

A criminal complaint unsealed in an Alaska district court charges Butler with aiding and abetting computer intrusion. If extradited and convicted in the United States, he faces a maximum of 10 years in prison, though sentencing guidelines would likely account for his age, lack of prior criminal history, and cooperation with investigators. In Canada, the Ontario Provincial Police (OPP) charged Butler with unauthorized use of a computer, possession of a device to facilitate unauthorized system access, and mischief in relation to computer data. He is scheduled to remain in custody pending a hearing on May 26.

The Department of Justice stated that Kimwolf was linked to DDoS attacks peaking at nearly 30 terabits per second, described as a record for recorded DDoS attack volume. The botnet allegedly issued more than 25,000 attack commands, causing financial losses exceeding one million dollars for some victims. Among those targeted were IP address ranges belonging to the U.S. Department of Defense, prompting the Defense Criminal Investigative Service to join the investigation alongside the FBI’s Anchorage field office.

How Kimwolf Spread

Kimwolf targeted devices that are typically isolated behind firewalls, including digital photo frames and web cameras. Compromised devices were either rented to other cybercriminals or conscripted into large-scale DDoS campaigns. The government credited a critical vulnerability that Kimwolf exploited for helping it spread faster and more effectively than competing IoT botnets.

Infrastructure Takedown and Related Botnets

On March 19, U.S. and international law enforcement partners seized the technical infrastructure supporting Kimwolf and three competing botnets, identified as Aisuru, JackSkid, and Mossad, all of which were targeting the same pool of vulnerable devices. Separately, OPP executed a search warrant at Butler’s Ottawa address that same day, seizing multiple devices. In April, the Justice Department joined European authorities in seizing domains tied to roughly four dozen DDoS-for-hire services; at least one of those services is alleged to have collaborated with Kimwolf.

Identification and Harassment Campaign

Butler was publicly identified as the Kimwolf operator in February 2026 through a review of email addresses, cybercrime forum registrations, and posts on public Telegram and Discord servers. Rather than going quiet, Butler allegedly escalated, conducting DDoS, doxing, and swatting attacks against security researchers. He claimed responsibility for at least two swatting incidents targeting Ben Brundage, founder of security startup Synthient, which had helped close the vulnerability Kimwolf relied on for rapid propagation. Synthient was among the companies the Justice Department thanked in its statement. Investigators linked Butler to the botnet’s administration through IP address records, online account data, transaction records, and messaging application logs obtained via legal process.

Brundage told KrebsOnSecurity he was relieved by the arrest: “Hopefully this will end the harassment.”