Canadian man arrested over alleged KimWolf DDoS botnet operation

U.S. prosecutors have charged a 23-year-old Ottawa man with allegedly developing and operating the KimWolf IoT botnet, a DDoS-for-hire service tied to record-scale attacks and more than one million infected devices worldwide.

The U.S. Justice Department says Jacob Butler, also known as “Dort,” was arrested in Canada after a criminal complaint was unsealed in the District of Alaska. Prosecutors allege that KimWolf infected devices around the world, including devices in Alaska.

The case highlights the growing threat from IoT botnets that turn ordinary connected devices into attack infrastructure. Web cameras, routers, digital video recorders, streaming boxes, and other poorly secured devices can be hijacked without the owner noticing.

KimWolf was allegedly sold as a DDoS-for-hire service

According to court documents summarized by federal prosecutors, KimWolf operated under a cybercrime-as-a-service model. The operators allegedly sold access to infected devices so other criminals could launch distributed denial-of-service attacks.

KimWolf was used to target computers and servers worldwide, including Department of Defense Information Network IP addresses. Prosecutors said the botnet was tied to DDoS attacks measured at nearly 30 Tbps and issued more than 25,000 attack commands.

The Hacker News reported that the charges followed earlier international action against KimWolf and related IoT botnets, including Aisuru, JackSkid, and Mossad.

Item	Details
Suspect	Jacob Butler, also known as “Dort”
Location	Ottawa, Canada
Botnet	KimWolf
Alleged business model	DDoS-for-hire and cybercrime-as-a-service
Device count	Over one million infected devices, according to DOJ; about two million Kimwolf devices, according to Cloudflare’s technical overview
Maximum penalty	Up to 10 years in prison if convicted

Authorities linked KimWolf to record-scale attacks

The botnet’s scale made it dangerous even when attacks lasted only a short time. DDoS traffic at tens of terabits per second can overwhelm targets, disrupt downstream providers, and create major mitigation costs.

Cloudflare’s Aisuru-Kimwolf technical overview says Aisuru-Kimwolf has been responsible for some of the largest hyper-volumetric DDoS attacks on record, including a 31.4 Tbps attack and a 14.1 billion packet-per-second attack.

The same overview describes Kimwolf as a fast-growing Android-focused botnet with about two million devices globally, with significant infection rates in Vietnam, Brazil, India, and Saudi Arabia.

IoT devices gave attackers scale

KimWolf allegedly compromised devices that owners often do not monitor closely. These include webcams, digital photo frames, routers, DVRs, and other small internet-connected systems.

IoT devices make strong botnet targets because many run outdated firmware, use weak or default passwords, stay online for long periods, and rarely receive the same security monitoring as laptops or servers.

Once compromised, these devices can send attack traffic, act as proxies, hide criminal activity behind residential IP addresses, or support other abuse without showing obvious signs to the device owner.

March takedown disrupted KimWolf and three other botnets

The arrest came after a wider March 2026 operation against Aisuru, KimWolf, JackSkid, and Mossad. That action targeted command-and-control infrastructure used by the four IoT botnets.

The Justice Department’s March disruption notice says the four botnets had infected more than three million devices worldwide and launched hundreds of thousands of DDoS attacks.

The operation involved U.S., Canadian, and German authorities, along with support from technology, hosting, networking, payment, and threat intelligence companies. The goal was to interrupt command channels, seize infrastructure, and reduce the botnets’ ability to launch new attacks.

DoDIN targets made the case more serious

The Justice Department says KimWolf and other botnets targeted IP addresses owned by the Department of Defense Information Network. That detail matters because attacks against defense infrastructure can affect military networks, contractor systems, and government-facing services.

The attacks were not limited to government systems. Prosecutors said victims worldwide suffered DDoS attacks, and some victims reported financial losses and remediation costs that reached or exceeded major six-figure and seven-figure levels.

Large DDoS attacks can create more than short outages. They can force emergency mitigation contracts, consume staff time, disrupt revenue, hide other intrusions, and trigger customer-impacting downtime.

Investigators say online records tied Butler to KimWolf

Federal prosecutors say investigators linked Butler to KimWolf administration through IP address evidence, online account records, transaction records, and messaging application records obtained through legal process.

The DOJ announcement says Butler was charged on April 10, 2026, and that the complaint remained sealed until after his arrest in Canada.

Butler faces one count of aiding and abetting computer intrusion. The case remains an allegation unless proven in court, and any sentence would depend on federal sentencing guidelines and the court’s decision.

Authorities also seized DDoS-for-hire platforms

The case also included action against broader DDoS-for-hire infrastructure. Prosecutors said the Central District of California unsealed seizure warrants targeting online services that supported 45 DDoS-for-hire platforms.

Those domains were redirected to a law enforcement splash page warning visitors that DDoS services are illegal. The move targets both operators and customers by disrupting access and sending a public deterrence message.

The Hacker News noted that one of the seized platforms allegedly collaborated with KimWolf, showing how botnet operators and booter services can form overlapping criminal markets.

Why booter and stresser services remain a problem

DDoS-for-hire platforms often market themselves as testing tools, but many sell attack capacity to users who want to knock websites, gaming servers, businesses, rivals, or public services offline.

These services reduce the skill needed to launch major attacks. A customer may only need a target address, a payment method, and access to a web panel or messaging channel.

• Botnet operators infect and control devices.
• DDoS-for-hire platforms sell attack slots or subscriptions.
• Customers choose targets and attack duration.
• Compromised devices generate attack traffic.
• Victims absorb downtime, mitigation costs, and service disruption.

Cloudflare describes a wider Aisuru-Kimwolf ecosystem

KimWolf sits inside a larger botnet ecosystem that defenders have tracked for hyper-volumetric DDoS activity. Cloudflare describes Aisuru as a parent botnet and Kimwolf as an Android-focused variant.

The Cloudflare overview says Aisuru-Kimwolf can use UDP, DNS, TCP, GRE, and HTTP-based attacks, with carpet-bombing and heavy packet randomization used to complicate detection.

This type of botnet can also support proxy abuse. Compromised residential devices can make malicious traffic appear to come from ordinary home networks, which makes blocking harder for defenders.

How device owners can reduce botnet risk

Owners of routers, cameras, DVRs, smart TVs, Android TV boxes, and other connected devices should treat them as internet-facing computers. Even small devices can become part of major criminal infrastructure.

Basic hardening can reduce risk. Users should change default passwords, apply firmware updates, turn off unused remote administration features, and replace devices that no longer receive security updates.

• Change default usernames and passwords on all IoT devices.
• Install firmware updates from the device maker.
• Disable remote management unless it is truly needed.
• Turn off unused services such as Telnet, UPnP, and exposed debug interfaces.
• Place IoT devices on a separate network where possible.
• Replace unsupported devices that no longer receive updates.
• Review router logs for unknown outbound connections or traffic spikes.

What businesses should do about DDoS risk

Businesses should prepare for DDoS attacks before they happen. Hyper-volumetric attacks can ramp up quickly, and incident teams may have only minutes to respond.

Organizations should work with their ISP, CDN, cloud provider, or DDoS mitigation vendor to define traffic-scrubbing options, emergency contacts, escalation paths, and thresholds for activation.

Control	Why it helps
DDoS mitigation plan	Reduces response time during an active attack.
Traffic baselines	Helps teams detect abnormal spikes faster.
CDN or scrubbing provider	Absorbs or filters attack traffic before it reaches origin systems.
Rate limiting	Limits some application-layer abuse.
Provider contacts	Ensures teams know who to call during an emergency.

The broader lesson from the KimWolf case

The KimWolf case shows how modern DDoS operations depend on three layers: vulnerable devices, botnet infrastructure, and commercialized attack services. Removing one layer can slow the ecosystem, but attackers often rebuild unless device security improves.

The March DOJ operation disrupted command infrastructure, while the later arrest targeted an alleged administrator. Both actions show a broader law enforcement strategy against botnets and the services that sell access to them.

For defenders, the message is direct. IoT security cannot remain an afterthought, and organizations that depend on online services need DDoS plans that account for attacks measured in terabits per second.

The case now moves through the legal process, but KimWolf’s scale shows why even cheap consumer devices can become part of global cybercrime infrastructure when they remain exposed, outdated, or poorly protected.

FAQ