US and Canadian authorities have arrested and charged a Canadian man with using the KimWolf distributed denial-of-service (DDoS) botnet, which infected nearly two million devices worldwide.
Jacob Butler, 23, (aka “Dort”) was arrested by Canadian authorities in Ottawa on Wednesday following an extradition warrant.
According to a criminal complaint unsealed Thursday in the District of Alaska, Butler was arrested based on IP address and Internet account information, transaction records, and Internet message records that revealed his connection to the KimWolf botnet.
Butler is now awaiting extradition to the US and faces one count of aiding and abetting computer hacking, which carries a 10-year prison sentence.
As detailed in court documents, KimWolf operated as a DDoS-for-hire service and was used by cybercriminals to launch attacks that reached nearly 30 terabits per second, the largest publicly disclosed DDoS attack at the time.
Using a cybercrime-as-a-service model, Butler sold access to a large network of vulnerable slave systems (from digital picture frames and web cameras to Android-based TV boxes and streaming devices).
The botnet was used in more than 25,000 attacks targeting computers and servers worldwide (including IP addresses of the Department of Network Information Security) and caused financial losses exceeding $1 million to some victims.
Researchers at the cybersecurity firm Synthient, who have been tracking KimWolf’s rapid growth, noted in January that KimWolf had grown to nearly 2 million users after exposing Android devices to attacks using vulnerabilities in residential proxy networks, and that it generated approximately 12 million unique IP addresses each week.
Separately, the Central District of California unsealed warrants targeting 45 DDoS-for-hire platforms, which disrupted multiple DDoS platforms, including at least one affiliated with the KimWolf botnet.
“This seizure has significantly disrupted DDoS platforms, including at least one affiliated with Butler’s KimWolf botnet,” the Justice Department said yesterday.
“US authorities have also seized domain records associated with many of these services, redirecting them to an authorized ‘splash page’, which displays a warning to potential visitors that DDoS services are illegal.”
Butler’s arrest follows an international operation in March 2026 in which US, German, and Canadian authorities seized the command and control infrastructure used by KimWolf and three related bots (Aisuru, JackSkid, and Mossad), which collectively infected more than 3 million IoT devices.
As the US Department of Justice said at the time, the four botnets collectively infected more than 3 million IoT devices, including webcams, digital video recorders, and Wi-Fi routers, many of them in the United States.
Automated testing tools deliver real value, but they’re designed to answer one question: can an attacker deploy on a network? They are not designed to check that your controls block threats, your firewall detection, or your cloud configs.
This guide covers the 6 areas you really need to verify.
Download Now
