Alleged Kimwolf Botmaster 'Dort' Arrested and Charged in Both the U.S. and Canada
Canadian law enforcement authorities arrested a 23-year-old Ottawa man on Wednesday, charging him with building and operating Kimwolf, one of the most destructive Internet-of-Things (IoT) botnets seen in recent memory. The suspect, identified as Jacob Butler — known online as "Dort" — allegedly used the botnet to enslave millions of internet-connected devices and launch a series of record-breaking distributed denial-of-service (DDoS) attacks over the past six months. Butler now faces serious criminal hacking charges in both Canada and the United States, marking a significant win for international cybersecurity law enforcement cooperation.
Who Is Jacob Butler, a.k.a. 'Dort'?
Jacob Butler came to the attention of cybersecurity researchers and journalists well before his arrest. KrebsOnSecurity publicly identified Butler as a prime suspect in February 2026, following a wave of retaliatory DDoS attacks, doxing campaigns, and swatting incidents directed at the publication's author and at least one other security researcher. These aggressive and dangerous harassment tactics — particularly swatting, which involves making false emergency calls to send armed law enforcement to a victim's address — underscored the reckless and criminal nature of the alleged operation.
A criminal complaint unsealed in an Alaska district court formally charges Butler with operating the Kimwolf DDoS botnet. According to a statement released by the Department of Justice, the complaint was unsealed following Butler's arrest in Canada by the Ontario Provincial Police, acting pursuant to a U.S. extradition warrant. Butler is currently being held in Canadian custody and is awaiting an initial court hearing scheduled for early next week. Whether he will ultimately be extradited to face charges in the United States remains to be determined by the Canadian legal process.
What Is the Kimwolf Botnet?
The Kimwolf botnet is a fast-spreading IoT malware network that, at its peak, had infected and commandeered millions of internet-connected devices around the world. What made Kimwolf particularly notable — and dangerous — was its focus on devices that are traditionally considered safer from external threats because they sit behind firewalls. The government's complaint specifically highlighted devices such as digital photo frames and web cameras as key targets for infection.
These types of consumer and small-business devices are often overlooked from a security standpoint. They rarely receive firmware updates, are frequently left with default credentials, and are not monitored with the same vigilance as computers or enterprise servers. Kimwolf exploited exactly these weaknesses, turning ordinary household and office gadgets into powerful weapons capable of flooding targets with massive volumes of malicious traffic.
How the Botnet Was Used
Once devices were infected and added to the Kimwolf network, they were leveraged in two primary ways:
- DDoS-for-hire services: Infected systems were rented out to other cybercriminals who paid to use the botnet's firepower to knock websites, servers, or online services offline. This type of criminal marketplace — sometimes called a "booter" or "stresser" service — has become a lucrative underground business model.
- Direct DDoS campaigns: The botnet was also used to conduct its own attacks, some of which reached extraordinary scale. Kimwolf was linked to DDoS attacks measured at nearly 30 Terabits per second, a figure described as a record in recorded DDoS attack volume. To put that in perspective, such an attack can overwhelm virtually any online infrastructure, from financial institutions to government networks.
Among the most alarming targets were Internet address ranges belonging to the U.S. Department of Defense. Attacking DoD infrastructure elevates Kimwolf far beyond typical cybercriminal activity and into the realm of national security concern. As a result, the Defense Criminal Investigative Service (DCIS) is actively involved in the investigation, working alongside the FBI's field office in Anchorage, Alaska.
Why This Arrest Matters for Cybersecurity
The takedown of an alleged botnet operator of this scale sends a clear message to cybercriminals who believe they can operate with impunity behind national borders or the relative anonymity of the internet. International cooperation between U.S. and Canadian authorities — spanning the Department of Justice, FBI, Ontario Provincial Police, and DCIS — demonstrates that cross-border cybercrime investigations are becoming more coordinated and more effective.
IoT-based botnets have been a growing threat for years, with earlier infamous examples like Mirai and Emotet demonstrating how devastating large-scale device infections can be. Kimwolf appears to represent the next evolution of this threat, capable of generating attack volumes that dwarf previous records. The alleged ability to sustain nearly 30 Tbps of attack traffic means that organizations of virtually any size — including those with enterprise-level DDoS mitigation — could find themselves overwhelmed.
The Broader IoT Security Problem
This case also highlights a persistent and growing vulnerability in the consumer technology ecosystem. Millions of internet-connected devices — smart cameras, photo frames, routers, smart TVs, and countless other gadgets — are deployed with minimal security consideration. Manufacturers often prioritize cost and convenience over robust security architecture, leaving users exposed.
Security experts have long urged both manufacturers and consumers to take basic precautions: changing default passwords, applying firmware updates, segmenting IoT devices onto separate networks, and disabling remote access features that aren't needed. The Kimwolf case is a stark reminder of why those recommendations matter and what can happen when they are ignored at scale.
What Comes Next for Jacob Butler
Butler faces criminal charges on both sides of the border, with the U.S. charges filed in an Alaska district court. His immediate future will be shaped by Canadian extradition proceedings, which can be lengthy and complex. In the meantime, investigators are likely working to unravel the full scope of the Kimwolf operation — including identifying clients who paid to use the botnet, assessing the total damage caused by its DDoS campaigns, and determining whether other individuals were involved in building or maintaining the network.
As with many cybercriminal cases, the arrest itself is only the beginning. The evidence gathered during the investigation into Kimwolf could lead to additional charges, additional defendants, or broader insights into the underground DDoS-for-hire economy that continues to thrive on the dark web.
Key Takeaways
- Jacob Butler, 23, of Ottawa, Canada, was arrested Wednesday on charges of operating the Kimwolf IoT botnet.
- Kimwolf enslaved millions of consumer IoT devices, including cameras and digital photo frames, using them for DDoS-for-hire services and direct attacks.
- The botnet generated DDoS attacks nearing 30 Terabits per second, reportedly a record volume.
- Targets included U.S. Department of Defense IP ranges, prompting involvement from the Defense Criminal Investigative Service and the FBI.
- Butler faces criminal charges in both Canada and the United States, with potential extradition proceedings underway.
- The case underscores the urgent need for stronger IoT device security across the consumer and enterprise landscape.
For organizations and individuals alike, the Kimwolf arrest is a timely reminder that the connected devices we use every day can become instruments of large-scale cybercrime if left unsecured. Staying informed, applying security updates, and practicing basic cyber hygiene are not optional extras — they are essential defenses in an increasingly hostile digital environment.