KimWolf DDoS Botnet Operator Arrested After Global Cybercrime Spree

A 23-year-old Canadian man from Ottawa named Jacob Butler, who went by the online alias Dort, was arrested by U.S. authorities for allegedly operating a distributed denial-of-service botnet called Kimwolf. The botnet was believed to be a variant of another malicious network called AISURU and specialized in compromising Android devices that had vulnerable Android Debug Bridge services exposed to the internet. Kimwolf particularly targeted devices like digital photo frames and web cameras that typically had weak security protections, bringing them under the control of the botnet operators.

Once these devices were infected and controlled, Butler and his associates allegedly sold access to them through a cybercrime-as-a-service business model. Customers who purchased this access could then command the infected devices to launch DDoS attacks against various targets worldwide, including sensitive systems belonging to the U.S. Department of Defense Information Network. Investigators linked Butler to the operation through his IP address, various online accounts, and Discord communications from an account called resi.to. While Butler denied his involvement when security journalist Brian Krebs first reported on the connection in February, claiming someone had hijacked his old Dort identity, the evidence was apparently sufficient for federal prosecutors to move forward.

The arrest came two months after an international law enforcement operation involving the United States, Canada, and Germany dismantled the command and control infrastructure for Kimwolf along with several related botnets including AISURU, JackSkid, and Mossad. According to the Justice Department, Kimwolf alone issued more than 25,000 attack commands during its operation. The AISURU and Kimwolf botnets were responsible for some of the most powerful DDoS attacks on record, generating malicious traffic that peaked at an extraordinary 31.4 terabits per second. Law enforcement also executed search warrants against 45 different DDoS-for-hire platforms that supported these operations, effectively taking them offline.

Butler now faces federal charges of aiding and abetting computer intrusion, which carries a maximum sentence of 10 years in prison if convicted. This case highlights the continuing efforts by international law enforcement to disrupt the DDoS-for-hire ecosystem and hold operators accountable for building and monetizing botnets that enable cyberattacks against critical infrastructure and commercial targets around the world.

Stay secure — stay Wavasec. 🔐