United States authorities have announced charges against a Canadian national accused of operating a distributed denial of service botnet known as Kimwolf, which investigators allege was used to conduct large scale DDoS for hire attacks against systems worldwide. According to the United States Department of Justice, 23 year old Jacob Butler, also known online as “Dort,” from Ottawa, Canada, has been charged in connection with the development and operation of the Kimwolf botnet. Officials stated that the botnet functioned as a cybercrime as a service platform, allowing other threat actors to purchase access to compromised devices and launch disruptive attacks against targeted infrastructure, including government networks.
According to investigators, Kimwolf is believed to be a variant of the AISURU botnet and primarily targeted Android devices exposed through Android Debug Bridge, commonly known as ADB. Authorities explained that vulnerable internet connected devices, including digital photo frames and web cameras, were infected and incorporated into the botnet network despite traditionally being protected behind firewalls. Once compromised, these devices were reportedly controlled by botnet operators and used to generate high volumes of malicious internet traffic. Officials said customers who purchased access through the service could direct infected devices to participate in distributed denial of service attacks targeting computers and servers globally, including systems associated with Department of Defense Information Network, also referred to as DoDIN. Court documents cited by investigators reportedly linked Butler to the botnet administration through IP address data, online account records, and Discord messages associated with an account identified as resi[.]to.
The alleged involvement of Butler in Kimwolf activity first gained public attention earlier in February 2026 through reporting by independent cybersecurity journalist Brian Krebs. At the time, Butler reportedly denied involvement and claimed that he had not used the “Dort” online identity since 2021, suggesting that another individual may have been impersonating him following the compromise of an older account. The latest legal action follows a broader law enforcement operation conducted approximately two months earlier, when United States authorities, in partnership with agencies in Canada and Germany, disrupted command and control infrastructure associated with Kimwolf, AISURU, JackSkid, and Mossad botnets through a court authorized effort aimed at limiting malicious cyber operations.
Authorities stated that Kimwolf was responsible for issuing more than 25,000 attack commands before its disruption. Prior to takedown efforts, investigators linked the broader AISURU and Kimwolf infrastructure to some of the highest volume DDoS attacks recorded, generating malicious traffic peaks reaching approximately 31.4 terabits per second. In addition to the charges against Butler, officials disclosed that seizure warrants targeting online services supporting 45 DDoS for hire platforms have also been unsealed, enabling authorities to dismantle multiple services associated with cybercriminal activity. Investigators further noted that one of the dismantled platforms reportedly collaborated with Kimwolf operations. Butler has been charged with one count of aiding and abetting computer intrusion and, if convicted, could face a prison sentence of up to 10 years under United States law.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
