U.S. and Canadian authorities have arrested and charged a Canadian man accused of operating the KimWolf botnet, a massive cybercrime network linked to some of the largest distributed denial-of-service (DDoS) attacks ever publicly disclosed.
According to court documents unsealed in the District of Alaska, 23-year-old Jacob Butler of Ottawa, Canada, allegedly operated the KimWolf botnet under the online alias “Dort.” Canadian authorities arrested Butler on Wednesday pursuant to a U.S. extradition warrant, and he now faces charges related to aiding and abetting computer intrusions. If convicted, he could face up to 10 years in prison.
Investigators say KimWolf functioned as a DDoS-for-hire platform that infected millions of internet-connected devices worldwide, including digital photo frames, webcams, Android-based streaming boxes, and other Internet of Things (IoT) hardware. The compromised devices were allegedly rented out to cybercriminals who used the infrastructure to launch large-scale attacks against online services and networks.
The U.S. Justice Department said KimWolf was connected to attacks reaching nearly 30 terabits per second, which officials described as a record-breaking DDoS attack volume at the time. Authorities also linked the botnet to attacks targeting Department of Defense Information Network IP ranges and thousands of other systems globally.
Officials estimate the botnet carried out more than 25,000 attack commands and caused financial damages exceeding millions of dollars for some victims. Researchers tracking the malware previously reported that KimWolf rapidly expanded after exploiting weaknesses in residential proxy networks and vulnerable Android devices.
The arrest follows a broader international law enforcement operation conducted in March 2026, during which authorities seized command-and-control infrastructure associated with KimWolf and three related botnets identified as Aisuru, JackSkid, and Mossad. Investigators said the four botnets collectively infected more than three million IoT devices worldwide.
Separately, authorities in California also seized infrastructure connected to 45 DDoS-for-hire services believed to support cybercriminal operations. The Justice Department said several domains associated with the services were redirected to law enforcement-controlled warning pages notifying visitors that DDoS-for-hire activity is illegal.
Law enforcement agencies reportedly tied Butler to KimWolf using IP address records, transaction histories, online account data, and messaging platform evidence obtained through legal process. Investigators also linked the suspect to online harassment campaigns targeting cybersecurity researchers who tracked the botnet’s growth.
Cybersecurity researchers warn that IoT botnets remain a major threat because poorly secured internet-connected devices are frequently left exposed online with weak passwords, outdated firmware, or unpatched vulnerabilities. Once infected, the devices can be remotely controlled and weaponized in large-scale DDoS campaigns capable of disrupting critical online infrastructure.