Canadian Arrested for KimWolf DDoS Botnet Hacking Operating Million

Canadian and U.S. authorities have arrested and charged a 23-year-old Ottawa resident for allegedly operating “KimWolf.” This massive Internet-of-Things (IoT) DDoS-for-hire botnet weaponized more than a million connected devices worldwide, including systems in Alaska and on the U.S. Department of Defense Information Network (DoDIN

According to an unsealed criminal complaint in the District of Alaska, Jacob Butler, also known by the alias “Dort,” is accused of developing and administering the KimWolf botnet as part of a DDoS‑as‑a‑service operation that rented out attack capacity to other cybercriminals.

KimWolf allegedly compromised traditionally firewalled consumer and small‑office devices such as digital photo frames and webcams, covertly enrolling them into a globally distributed attack infrastructure.

Investigators say the botnet was used to launch high‑volume distributed denial‑of‑service campaigns against targets around the world, including DoDIN‑associated IP ranges.

KimWolf is linked to DDoS attacks peaking at nearly 30 Tbps, placing it among the largest recorded volumetric events to date and driving losses that, for some victims, exceeded one million dollars.

Global takedown and Infrastructure seizures

Butler was arrested in Ottawa pursuant to a U.S. extradition warrant after coordinated action involving the U.S. Department of Justice, the Defense Criminal Investigative Service (DCIS), and Canadian law enforcement partners.

He now faces one count of aiding and abetting computer intrusion in the United States, carrying a maximum penalty of 10 years in prison upon conviction, with sentencing to be determined under the U.S. Sentencing Guidelines.

The arrest follows a broader March 2026 court‑authorized operation that disrupted several high‑impact IoT DDoS botnets, including Aisuru, KimWolf, JackSkid, and Mossad, by seizing their command‑and‑control (C2) infrastructure.

In a parallel action, the Central District of California unsealed seizure warrants against 45 DDoS‑for‑hire platforms alleged to support or collaborate with services like KimWolf. Authorities seized domains and redirected them to a law‑enforcement “splash page” that warns visitors about the illegality of DDoS attacks and booter services.

According to court filings, investigators tied Butler to KimWolf’s administration through a combination of IP address evidence, online account records, payment and transaction trails, and logs from encrypted messaging platforms obtained under legal process.

This evidentiary picture reportedly links his online persona “Dort” to the botnet’s core operational infrastructure and customer‑facing DDoS‑for‑hire activity.

The operation drew on extensive public‑private collaboration, with contributions from a wide range of technology, hosting, security, and networking providers. Their telemetry, abuse handling, and infrastructure intelligence were instrumental in mapping KimWolf’s ecosystem, identifying C2 nodes, and supporting coordinated seizures and sinkholing actions.

Butler remains in custody in Canada while U.S. prosecutors, led by the U.S. Attorney’s Office for the District of Alaska and supported by DCIS and the FBI Anchorage Field Office, pursue extradition and further proceedings in the ongoing KimWolf case.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.