KimWolf Botnet Operator Arrested After 30 Tbps DDoS Attacks

U.S. and Canadian authorities have arrested and charged a 23-year-old Ottawa man for building and operating KimWolf, an IoT botnet that enslaved nearly two million devices and launched DDoS attacks measuring up to 30 terabits per second—a record in recorded attack volume. Jacob Butler, known online as "Dort," now faces criminal hacking charges in both countries.

The arrest caps a months-long investigation that began after KrebsOnSecurity identified Butler as the KimWolf botmaster in February 2026. Canadian authorities executed the arrest warrant on Wednesday in Ottawa.

The Scale of KimWolf

According to the Department of Justice announcement, KimWolf represented a new generation of IoT botnets that targeted devices traditionally isolated from the public internet. Rather than focusing solely on exposed routers and cameras, Butler allegedly developed techniques to compromise:

• Digital photo frames connected to home networks
• Network-attached webcams behind NAT
• Smart home devices with limited external connectivity
• Legacy IoT equipment running outdated firmware

The botnet's ability to conscript devices that administrators assumed were "firewalled" from the internet contributed to its rapid growth. At peak operation, KimWolf controlled approximately 1.9 million infected devices worldwide.

The 30 Tbps attacks attributed to KimWolf set volumetric records, surpassing previous peaks from Mirai-derived botnets. Attacks of this magnitude can overwhelm even well-provisioned DDoS mitigation services, making KimWolf a weapon of choice for well-funded clients.

DDoS-for-Hire Operations

Butler allegedly operated KimWolf as a commercial service, renting attack capacity to paying customers. The Hacker News reports that the operation generated significant revenue over its six months of documented activity.

The DDoS-for-hire model, sometimes called "booter" or "stresser" services, allows individuals with no technical skills to launch devastating attacks. Customers pay for attack duration and bandwidth, specifying targets through a web interface while the botnet infrastructure handles execution.

Butler faces one count of aiding and abetting computer intrusion in the United States. If convicted, he could receive up to 10 years in federal prison. Canadian charges are still being processed.

A Pattern of IoT Botnet Enforcement

The KimWolf arrest follows increased international cooperation against botnet operators. Earlier this year, the takedown of the First VPN service disrupted infrastructure used in ransomware and data theft operations. Law enforcement agencies have become more aggressive in pursuing both botnet operators and the infrastructure that supports them.

The timing coincides with broader concerns about critical infrastructure DDoS attacks. We've seen hacktivist groups like NoName057 launching DDoS campaigns against Western targets, and nation-state actors increasingly using volumetric attacks as part of hybrid operations.

For organizations concerned about DDoS resilience, the KimWolf case underscores several realities:

1. Attack volumes continue to escalate — 30 Tbps exceeds what many mitigation services can absorb
2. IoT remains a persistent risk — Devices assumed to be "internal" may still be compromised
3. Commercial botnets are accessible — Anyone with money can rent attack capacity

What This Means for Defenders

The arrest removes one operator but doesn't eliminate the underlying infrastructure. KimWolf's techniques for compromising "firewalled" IoT devices will likely be replicated by other actors. Organizations should:

• Audit IoT devices for compromise indicators, even those on internal networks
• Implement network segmentation that isolates IoT from critical systems
• Monitor for unusual outbound traffic patterns from IoT segments
• Ensure DDoS mitigation plans account for multi-terabit attacks

The investigation continues. Authorities have not disclosed how many customers used KimWolf's services or whether additional arrests are expected. Given the commercial nature of the operation, transaction records could lead to identification of individuals who purchased attacks against specific targets.