Jacob Butler, 23, of Ottawa, Canada — who operated online under the alias “Dort” — was arrested by Canadian authorities on May 22, 2026, following US federal charges filed in the District of Alaska. He stands accused of building and operating Kimwolf, a DDoS-for-hire botnet that infected over one million IoT and Android devices and launched attacks measured at nearly 30 terabits per second — a figure that sets a documented record for DDoS attack volume.

The arrest comes three months after KrebsOnSecurity publicly named Butler as the Kimwolf botmaster in a February 2026 investigation. That investigation traced Butler through email addresses, cybercrime forum registrations, and posts on public Telegram and Discord servers — connecting the online alias “Dort” to the Ottawa address where Canadian authorities would later find him. US authorities had already filed criminal charges on April 10, 2026; the Canadian arrest on May 22 came pursuant to an extradition warrant.

The Scale of Kimwolf

Kimwolf was not a sophisticated custom implant. It was a volume operation, purpose-built for enslaving the enormous population of internet-connected devices that ship with default credentials, exposed administrative interfaces, or unpatched vulnerabilities. The botnet specifically targeted devices with exposed Android Debug Bridge (ADB) services — a development tool left accessible on production devices, including digital photo frames, web cameras, Android TV boxes, and set-top devices.

At its peak, Kimwolf had infected over a million devices worldwide. Those devices were not used for data exfiltration or espionage. They were attack nodes — coordinated to flood targets with junk traffic on command from Butler’s infrastructure.

The numbers are staggering. Attacks generated by Kimwolf reached nearly 30 Tbps — a threshold that overwhelms virtually any unprotected network and strains the mitigation capacity of all but the largest DDoS protection services. The botnet issued over 25,000 attack commands across its operational lifetime. Kimwolf was a DDoS-as-a-service offering: customers paid Butler to direct those attack commands at targets of their choosing.

From Botnet Takedown to Human Arrest

Earlier coverage of Kimwolf documented the German BKA-led takedown of the Kimwolf botnet infrastructure in early 2026, a cross-border operation that dismantled the network and brought Aisuru — a co-operating botnet — down alongside it. That action removed the attack infrastructure. It didn’t name or arrest the person behind it.

The gap between dismantling botnet infrastructure and arresting its operator is a recurring pattern in cybercrime enforcement. Servers can be seized in coordinated international action. Identifying the human being who owns those servers requires different investigative work: following the money, tracing the operational security failures, mapping the forum posts and messaging platform activity that connect a criminal alias to a real name and address.

KrebsOnSecurity published that work publicly in February. The investigation traced Butler’s online footprint across multiple platforms over an extended period. By the time the story published, law enforcement had already been building its own parallel case — the DOJ charged Butler in April, two months after the Krebs publication, suggesting the criminal investigation had reached its own conclusions around the same timeframe.

What Butler Faces

The criminal complaint charges Butler with one count of aiding and abetting computer intrusions, carrying a maximum sentence of 10 years in prison. He is currently in Canadian custody pending extradition proceedings to the United States, where the District of Alaska has jurisdiction over the case.

The choice of Alaska as the charging jurisdiction likely reflects specific victims or infrastructure connections in that district. DDoS-for-hire prosecutions are typically brought where identifiable victims can be located — companies or services that paid for DDoS protection, suffered quantifiable damage, or are otherwise cooperating with the investigation.

The single count and its 10-year maximum don’t necessarily represent the ceiling of Butler’s exposure. If the government identifies additional charges as extradition proceeds, or if Butler’s cooperation reveals additional criminal conduct, the charging picture can change. For now, the one-count complaint is the public record of what US prosecutors have chosen to file initially.

The DDoS-for-Hire Ecosystem

Butler’s alleged operation fits a well-documented model. DDoS-for-hire services — sometimes called “booters” or “stressers” — lower the barrier to launching crippling network attacks. A customer doesn’t need technical capability; they need a credit card or cryptocurrency wallet and a target IP address.

The customers of Kimwolf’s service are not named in public charging documents, but they’re not an abstraction. Every one of the 25,000+ attack commands Kimwolf issued was directed at something: a competitor’s website, a gaming server, a small business, an individual who crossed someone in an online dispute. The downstream harm is distributed across those targets.

Law enforcement has increasingly targeted the operators of these services rather than trying to trace individual attack customers. Butler’s arrest follows a pattern: Webstresser takedown, Mirai botnet prosecutions, the DDoS-for-hire infrastructure seizures of the last several years. The message is consistent — building and operating the service makes you the principal target.

Sources