U.S. and Canadian authorities have arrested and charged a 23-year-old Canadian man accused of running the KimWolf distributed denial-of-service botnet, which infected nearly two million devices around the world.
Jacob Butler, also known online as “Dort,” was arrested by Canadian authorities in Ottawa on Wednesday under an extradition warrant. He is now awaiting extradition to the United States, where he faces one count of aiding and abetting computer intrusions. If convicted, he could face up to 10 years in prison.
According to a criminal complaint unsealed Thursday in the District of Alaska, investigators linked Butler to the KimWolf botnet through IP address records, online accounts, transaction details, and messaging records.
Court documents say KimWolf operated as a DDoS-for-hire service, allowing cybercriminals to launch massive attacks against websites, servers, and networks. Some attacks allegedly reached nearly 30 terabits per second, which was then the largest publicly disclosed DDoS attack.
Authorities said Butler sold access to a large network of compromised devices, including digital photo frames, web cameras, Android-based TV boxes, and streaming devices. These infected systems were then used to overwhelm targets with malicious traffic.
The botnet was allegedly involved in more than 25,000 attacks worldwide, including attacks that targeted Department of Defense Information Network IP addresses. Some victims suffered financial losses of more than $1 million.

Cybersecurity firm Synthient, which had been tracking KimWolf’s growth, reported in January that the botnet had grown to nearly two million infected devices. Researchers said it expanded by exploiting vulnerabilities in residential proxy networks and was generating around 12 million unique IP addresses each week.
In a separate action, the Central District of California unsealed seizure warrants targeting 45 DDoS-for-hire platforms. The Justice Department said these seizures disrupted several DDoS services, including at least one platform that worked with the KimWolf botnet.
U.S. authorities also seized domain records linked to many of those services and redirected them to a warning page informing visitors that DDoS-for-hire services are illegal.
Butler’s arrest comes after a March 2026 international law enforcement operation involving U.S., German, and Canadian authorities. That operation seized command-and-control infrastructure used by KimWolf and three related botnets known as Aisuru, JackSkid, and Mossad.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
According to the Justice Department, those four botnets had collectively infected more than three million Internet of Things devices, including web cameras, digital video recorders, and Wi-Fi routers, with many of the compromised devices located in the United States.





