When we covered Jacob Butler’s arrest on May 22, the initial charging documents and press releases captured the broad strokes of the Kimwolf case. Additional details from the DOJ’s full disclosure and Canadian court filings have since emerged — and they add meaningful context to both the scale of the operation and what comes next for Butler.

Canadian Charges Are Separate from the US Case

Butler isn’t only fighting extradition to the United States. Canadian prosecutors have filed their own criminal charges independently of the US complaint. The Canadian charges include:

  • Unauthorized use of a computer
  • Possession of a device to obtain unauthorized use of a computer system or to commit mischief
  • Mischief in relation to computer data

These are distinct from the single US count — aiding and abetting computer intrusions — that carries a 10-year maximum. Canadian prosecutors filing parallel charges is unusual; it suggests either that specific Kimwolf attacks had Canadian victims with jurisdictional hooks, or that Canadian authorities want their own case in hand regardless of how extradition proceedings resolve.

Butler’s custody hearing is scheduled for May 26 — two days from now. That hearing will determine his detention status in Canada while extradition proceedings work through the courts. Extradition from Canada to the United States typically takes months to years; Butler could face Canadian proceedings that run concurrently with or prior to any US trial.

Kimwolf Hit DoD Networks

The detail that likely drove the federal charging decision in Alaska’s district court: DOJ disclosures confirm that Kimwolf customers directed attacks at Department of Defense Information Network (DoDIN) IP addresses.

Botnet operators running DDoS-for-hire services can’t always control who their customers target — the entire business model is that you sell attack capacity and the customer picks the target. But the moment DoD infrastructure appears in the victim list, the nature of the case shifts. It stops being purely a cybercrime matter and enters territory where national security equities are involved.

The Alaska district court jurisdiction — specifically the District of Alaska — almost certainly reflects DoD-connected infrastructure or victims in that jurisdiction. Military installations and government contractors are distributed across Alaska, and federal charging decisions routinely follow where identifiable victims can be placed.

This detail also explains the investigative seriousness of the operation. The FBI’s involvement, the coordination with Canadian authorities, the extradition warrant — these are consistent with a case where the government had specific victims including federal networks, not just anonymous civilian targets.

The March Takedown: Four Botnets, Not Two

Our earlier coverage of the March 2026 Germany BKA-led operation focused on Aisuru and Kimwolf. The DOJ’s full press release from that action describes something broader: a court-authorized operation to seize Command and Control infrastructure for four IoT botnets — Aisuru, KimWolf, JackSkid, and Mossad.

JackSkid and Mossad received minimal coverage at the time, likely because the operational focus was on Aisuru and Kimwolf as the largest and most capable of the four. But the multi-botnet scope of the March action suggests the same threat actor cluster was operating coordinated infrastructure across several distinct malware families — each targeting different device populations or serving different customer segments within the DDoS-for-hire market.

The March action seized the C2 infrastructure. Butler’s arrest in May is the human accountability phase. Whether any of the other botnets had separate operators who remain unidentified — or whether Butler was running all four — has not been publicly disclosed.

The Device Count

Our May 22 article cited over one million infected devices based on initial reporting. DOJ’s full disclosure puts the figure at nearly two million internet-connected devices, with hundreds of thousands located in the United States. An earlier Hacker News investigation from January 2026 had the count above two million as the botnet was still active. The March takedown reduced active infection numbers substantially.

The difference between those figures isn’t a discrepancy — it reflects the botnet at different points in its lifecycle. Active device counts in botnets fluctuate as devices get patched, rebooted, or ISP-cleaned, and as the operators re-infect new targets. The DOJ figure of “nearly two million” likely represents the peak controlled infection count rather than a static number.

What doesn’t change with the count: the 25,000+ attack commands issued and the nearly 30 Tbps peak attack volume are documented operational figures tied to specific recorded incidents. Those numbers hold regardless of how device counts are measured.

What Happens May 26

The custody hearing on May 26 is the immediate next milestone. Canadian courts will determine whether Butler is detained or released on conditions while extradition proceedings continue. Given the gravity of the US charges, the international nature of the case, and the flight risk calculation for a 23-year-old facing a decade in a US federal prison, detention is the likely outcome — but not certain.

Extradition hearings in Canada typically involve challenges to the validity of the underlying US charges, arguments about the political nature of the offense, and assorted procedural motions. For a case involving DDoS attacks — a category with no serious argument for political offense exemption — the extradition pathway to the US is well-established, but could still take a year or more.

Butler’s lawyers have not made public statements. At 23, with a maximum of 10 years on the US count and Canadian charges running in parallel, the calculus for cooperation and a plea arrangement is likely being worked through on both sides.

Sources