Canadian national charged in alleged operation of KimWolf DDoS botnet

U.S. and Canadian authorities have arrested and charged a Canadian man accused of operating the KimWolf distributed denial-of-service botnet, a cybercrime network linked to attacks targeting organizations and internet infrastructure around the world.

Jacob Butler, 23, who allegedly used the online alias “Dort,” was arrested Wednesday in Ottawa under an extradition warrant issued by U.S. authorities. Court documents unsealed Thursday in the U.S. District Court for the District of Alaska charge Butler with one count of aiding and abetting computer intrusions, an offense carrying a maximum prison sentence of 10 years.

Investigators tied Butler to the KimWolf botnet through IP address data, online account records, transaction histories, and digital communications uncovered during the investigation.

Federal prosecutors said KimWolf operated as a DDoS-for-hire platform, allowing cybercriminals to purchase access to a large network of compromised devices capable of overwhelming targeted systems with internet traffic. Authorities said the botnet generated attacks reaching nearly 30 terabits per second, described in court filings as the largest publicly disclosed DDoS attacks at the time.

The botnet relied on a cybercrime-as-a-service model built on infected consumer electronics and internet-connected devices, including digital photo frames, web cameras, Android-based television boxes, and streaming devices. Investigators said the network was used in more than 25,000 attacks targeting computers and servers globally, including systems associated with the Department of Defense Information Network.

Some victims suffered financial losses exceeding $1 million, prosecutors said.

Synthient, a cybersecurity firm that tracked the malware network, identified rapid growth in KimWolf’s operations earlier this year after attackers exploited vulnerabilities in residential proxy networks to compromise Android devices. Researchers observed the botnet expanding to nearly two million infected systems and generating roughly 12 million unique IP addresses each week.

The arrest follows a broader international enforcement effort targeting DDoS infrastructure. In March 2026, authorities in the United States, Germany, and Canada seized command-and-control systems linked to KimWolf and three related botnets identified as Aisuru, JackSkid, and Mossad.

The U.S. Justice Department said the four botnets collectively infected more than three million internet-of-things devices, including web cameras, digital video recorders, and Wi-Fi routers, many located in the United States.

Separately, seizure warrants unsealed in the Central District of California targeted 45 DDoS-for-hire platforms connected to the broader cybercrime ecosystem. Authorities said the operation disrupted multiple services, including at least one platform that collaborated with the KimWolf network.

Federal investigators also seized domain records associated with several of the platforms and redirected visitors to government-controlled warning pages stating that DDoS-for-hire services are illegal. Butler remains in Canadian custody pending extradition proceedings to the United States.