Canadian police have arrested Jacob Butler, a 23-year-old Ottawa man accused by U.S. prosecutors of administering Kimwolf, an internet-of-things botnet that allegedly conscripted millions of devices into distributed denial-of-service attacks.
The U.S. Justice Department said a criminal complaint was unsealed in federal court in Alaska after the Ontario Provincial Police arrested Butler on a U.S. extradition warrant. Butler, who prosecutors say used the alias “Dort,” remains in Canadian custody pending an initial hearing scheduled for early next week.
The case matters because Kimwolf was not a hobby botnet knocking over vanity targets. According to the Justice Department, the network was tied to attacks measured at nearly 30 terabits per second and issued more than 25,000 attack commands. Some victims lost more than $1 million, prosecutors said. The botnet also allegedly hit address ranges used by the U.S. Department of Defense, which brought in the Defense Criminal Investigative Service alongside the FBI’s Anchorage field office.
What prosecutors say Kimwolf did
According to the Justice Department, Kimwolf infected devices such as digital photo frames and web cameras, including systems that were typically shielded from direct internet exposure. Once compromised, those machines could be pointed at targets to flood them with traffic or rented out to other criminals who wanted DDoS capacity without building their own botnet.
That is the familiar IoT botnet model: find weak devices at scale, turn them into disposable traffic cannons, and sell the button to anyone willing to pay. Prosecutors allege Kimwolf competed with other large DDoS botnets for the same vulnerable device population.
On March 19, U.S. authorities and international law enforcement partners seized infrastructure tied to Kimwolf and three other DDoS botnets named Aisuru, JackSkid and Mossad, according to prior Justice Department actions described in the case. The Ontario Provincial Police said officers executed a search warrant the same day at Butler’s Ottawa address and seized multiple devices.
Charges in two countries
In Canada, the Ontario Provincial Police said Butler was charged with unauthorized use of a computer, possession of a device to obtain unauthorized use of a computer system or commit mischief, and mischief in relation to computer data. Police said he is due to remain in custody until a May 26 hearing.
In the United States, Butler faces one count of aiding and abetting computer intrusion. If extradited, convicted and sentenced in U.S. court, he could face up to 10 years in prison, though sentencing would depend on federal guidelines and factors such as age, criminal history and cooperation with investigators.
Investigators connected Butler to Kimwolf’s administration using IP address data, online account records, transaction records and messaging-app records obtained through legal process, according to the criminal complaint.
Security journalist Brian Krebs publicly identified Butler in February as the alleged operator behind the Dort alias after reviewing email addresses, cybercrime forum registrations, and public Telegram and Discord posts. Krebs reported that the harassment did not stop after that identification, including threats against researchers who helped slow Kimwolf’s spread.
The Justice Department also thanked security companies that assisted the investigation, including Synthient. Krebs reported that Dort claimed responsibility for at least two swatting incidents targeting Synthient founder Ben Brundage, whose company helped address a security weakness Kimwolf was using to spread. Brundage told KrebsOnSecurity after the arrest: “Hopefully this will end the harassment.”
The Justice Department said in April that U.S. authorities also seized domains connected to nearly four dozen DDoS-for-hire services, and that at least one of those services worked with Butler’s alleged Kimwolf botnet.
This story draws on original reporting from Krebs on Security.