KimWolf botnet – U.S. and Canadian authorities have arrested and charged 23-year-old Jacob Butler, accused of operating the KimWolf DDoS-for-hire botnet that infected nearly two million devices worldwide. Butler, arrested in Ottawa pursuant to an extradition warrant, now faces
A Canadian man charged over the KimWolf botnet was taken into custody in Ottawa this week. and the case has quickly become more than a single arrest. It’s the moment a sprawling DDoS-for-hire operation—built to rent out compromised devices by the attack—collides with criminal charges and coordinated shutdown activity on both sides of the border.
U.S. and Canadian authorities arrested and charged a Canadian man, 23-year-old Jacob Butler, also known online as “Dort,” with operating the KimWolf distributed denial-of-service (DDoS) botnet. Canadian authorities arrested him in Ottawa on Wednesday pursuant to an extradition warrant.
In a criminal complaint unsealed on Thursday in the District of Alaska. the case lays out how investigators tied Butler to KimWolf. The complaint says he was taken into custody based on IP address and online account information. transaction records. and online messaging records that exposed his links to the KimWolf botnet.
Butler now awaits extradition to the U.S., and faces one count of aiding and abetting computer intrusions. That single count carries a maximum sentence of 10 years in prison.
Court documents describe KimWolf as a DDoS-for-hire service used by cybercriminals to launch attacks reaching nearly 30 terabits per second. described as the largest DDoS attack publicly disclosed at the time. Under a cybercrime-as-a-service model. Butler allegedly sold access to a massive network of compromised “enslaved systems”—ranging from digital photo frames and web cameras to Android-based TV boxes and streaming devices.
The complaint says the botnet was used in more than 25,000 attacks targeting computers and servers worldwide, including Department of Defense Information Network IP addresses. It also says the attacks led to financial losses exceeding $1 million for some victims.
Investigators and researchers say the scale grew quickly. Researchers at cybersecurity firm Synthient. tracking KimWolf’s rapid expansion. noted in January that the botnet grew to almost 2 million after compromising Android devices in attacks exploiting vulnerabilities in residential proxy networks. Synthient also said KimWolf generated approximately 12 million unique IP addresses each week.
KimWolf’s growth and criminal reach are part of why U.S. actions in parallel have landed with such force. The Central District of California unsealed seizure warrants targeting 45 DDoS-for-hire platforms. Those seizures disrupted multiple DDoS platforms, including at least one that collaborated with the KimWolf botnet.
The Justice Department said yesterday. “These seizures broadly disrupted the DDoS platforms. including at least one that collaborated with Butler’s KimWolf botnet.” It added that U.S. authorities seized domain records associated with many of these services. redirecting them to an authorized “splash page” warning potential visitors that DDoS services are illegal.
The arrest comes after an earlier multinational operation. In March 2026. U.S. German. and Canadian authorities seized command-and-control infrastructure used by KimWolf and three related botnets—Aisuru. JackSkid. and Mossad. Those four botnets collectively infected over 3 million IoT devices. including web cameras. digital video recorders. and Wi-Fi routers. many of them in the United States.
Taken together. the charges against Butler and the simultaneous seizure of 45 DDoS-for-hire platforms show how these operations are built to be replaced—often by shifting access points rather than dismantling the whole criminal pipeline at once. But the legal filings. the scale numbers. and the disruption steps leave little room to treat KimWolf as a single offline incident: it was a service. powered by compromised devices. used thousands of times. and now tied to a defendant facing extradition.
KimWolf botnet Jacob Butler Dort DDoS-for-hire distributed denial-of-service Canada arrest extradition District of Alaska Central District of California seizure warrants IoT botnets Synthient