Canadian authorities have arrested a 23-year-old man accused of operating the KimWolf botnet, a major DDoS-for-hire network linked to record-breaking cyberattacks and more than one million infected devices worldwide.
According to U.S. court documents, Jacob Butler of Ottawa, Canada, allegedly managed the botnet under the online alias “Dort.” Butler was arrested under an extradition warrant and now faces charges in the United States related to aiding and abetting computer intrusions. If convicted, he could face up to 10 years in prison.
Investigators say KimWolf operated as a cybercrime-as-a-service platform that allowed other criminals to rent access to a massive network of compromised internet-connected devices. The botnet primarily targeted vulnerable Internet of Things devices, including webcams, digital photo frames, routers, Android TV boxes, and streaming hardware.
Once infected, the devices were used to launch distributed denial-of-service attacks capable of overwhelming targeted servers and online infrastructure with massive volumes of internet traffic. Authorities linked the botnet to attacks targeting organizations worldwide, including systems connected to the U.S. Department of Defense Information Network.
The U.S. Department of Justice stated that attacks associated with KimWolf reached nearly 30 terabits per second, making them among the largest publicly disclosed DDoS attacks ever recorded at the time. Officials said the botnet issued more than 25,000 attack commands before authorities disrupted its infrastructure earlier this year.
The arrest follows a broader international law enforcement operation conducted in March 2026 that targeted the command-and-control infrastructure behind several major IoT botnets, including KimWolf, AISURU, JackSkid, and Mossad. Authorities from the United States, Canada, and Germany participated in the operation alongside private cybersecurity companies.
Officials said the four botnets collectively infected more than three million devices worldwide. Researchers previously linked the AISURU and KimWolf networks to a 31.4 Tbps hyper-volumetric DDoS attack that lasted approximately 35 seconds and automatically triggered mitigation systems across major internet infrastructure providers.
Court filings indicate investigators identified Butler through IP address records, transaction histories, online account information, and digital messaging records tied to the botnet operation. Independent cybersecurity journalist Brian Krebs had previously connected the “Dort” alias to KimWolf activity earlier this year after reporting harassment and DDoS attacks targeting security researchers.
Authorities also disrupted dozens of additional DDoS-for-hire services believed to support the broader botnet ecosystem. Several seized domains were redirected to law enforcement-controlled warning pages notifying visitors that DDoS-for-hire services are illegal.
Cybersecurity experts warn that IoT botnets remain one of the biggest threats to internet infrastructure because many smart devices continue operating with outdated firmware, exposed services, or weak default passwords. Once compromised, attackers can silently add those devices to botnet networks capable of generating enormous volumes of malicious traffic.