Canadian arrested for operating KimWolf botnet tied to record DDoS attack

Canadian authorities have arrested a 23-year-old Ottawa man who is accused of operating the DDoS-for-hire KimWolf IoT botnet platform.

The arrest follows a broader international law enforcement operation earlier this year that dismantled infrastructure tied to the KimWolf, Aisuru, JackSkid, and Mossad botnets, which collectively infected millions of internet-connected devices worldwide.

According to a U.S. Department of Justice announcement, Jacob Butler, also known online as “Dort,” was charged in the District of Alaska with offenses related to the development and administration of the KimWolf botnet. Canadian authorities arrested Butler in Ottawa on Wednesday pursuant to a U.S. extradition warrant.

The criminal complaint alleges that Butler operated KimWolf as a commercial cybercrime service that enabled customers to rent access to large fleets of compromised devices to launch DDoS attacks against targets worldwide, including systems associated with the U.S. Department of Defense Information Network (DoDIN).

Investigators say KimWolf infected more than one million devices globally, including systems located in Alaska. Unlike many traditional IoT botnets that focus primarily on exposed routers and DVRs, KimWolf targeted digital photo frames and internet-connected web cameras.

Once infected, the devices became part of a botnet controlled through command-and-control (C2) infrastructure. Customers purchasing access to the service could then direct massive traffic floods at victim networks and online services.

The DOJ says KimWolf issued more than 25,000 attack commands during its operation and was connected to attacks reaching nearly 30 Tbps, volumes consistent with the hyper-volumetric campaigns observed throughout late 2025 and early 2026.

Earlier this year, Cloudflare reported mitigating a record-breaking 31.4 Tbps DDoS attack attributed to the Aisuru-KimWolf botnet ecosystem. The company described the operation as one of the most powerful known IoT-based botnets, fueled largely by compromised Android-powered smart devices and consumer internet hardware.

In March 2026, U.S. and international authorities seized infrastructure tied to KimWolf and several related botnets in a coordinated disruption effort. The operation involved law enforcement agencies from the United States, Canada, and Germany, alongside support from major cybersecurity and cloud providers.

According to court documents, investigators linked Butler to the KimWolf operation through IP address records, online accounts, financial transaction data, and evidence obtained through legal process from messaging platforms.

Alongside Butler’s arrest, authorities also unsealed seizure warrants targeting infrastructure connected to 45 DDoS-for-hire platforms. The seized domains now redirect visitors to law-enforcement warning pages that inform users that DDoS-for-hire services are illegal.

The DOJ charged Butler with one count of aiding and abetting computer intrusion, which carries a maximum sentence of 10 years in prison if convicted.