The Fall of ‘Dort’: Inside the Collapse of the Kimwolf Botnet Empire

In a high-stakes cross-border operation, Canadian and American authorities have successfully dismantled one of the most prolific and destructive cyber-threat infrastructures of the modern era. On Wednesday, the Ontario Provincial Police (OPP) apprehended 23-year-old Jacob Butler, an Ottawa resident who operated under the alias “Dort.” Butler stands accused of building and orchestrating Kimwolf, a massive Internet-of-Things (IoT) botnet that enslaved millions of connected devices, facilitating record-shattering Distributed Denial-of-Service (DDoS) attacks that crippled infrastructure and terrorized security researchers across North America.
The arrest marks a definitive conclusion to a six-month reign of digital terror. Butler now faces a barrage of criminal hacking charges in both Canada and the United States, with U.S. authorities actively pursuing his extradition to face justice in an Alaska district court.
The Architect of Chaos: Who is Jacob Butler?
Jacob Butler, known in the dark corners of the internet as “Dort,” was not a sophisticated state-sponsored operative, but rather a brazen individual who grew emboldened by his own technical success. Investigations by both independent security journalists and federal agencies revealed that Butler’s undoing was his failure to decouple his real-world identity from his malicious online personas.
By meticulously tracking email addresses, forum registrations, and footprints left on public Telegram and Discord servers, investigators were able to map Butler’s digital life to his physical residence in Ottawa. As early as February 2026, investigative reporting by KrebsOnSecurity publicly linked Butler to the Kimwolf infrastructure. Instead of retreating, Butler reacted with characteristic volatility, launching a series of retaliatory DDoS attacks, doxing campaigns, and “swatting” incidents against those who dared to unmask him.
The Swatting Campaign
Perhaps the most egregious aspect of Butler’s criminal enterprise was his use of swatting—the dangerous practice of making a false emergency report to law enforcement to trigger a heavily armed police response at a victim’s home. Butler specifically targeted Ben Brundage, founder of the security startup Synthient, after the firm developed a patch for the very vulnerability that allowed Kimwolf to spread with such lethal efficiency. The psychological toll of these attacks was immense, though Butler’s attempt to silence his opposition ultimately served only to accelerate the federal investigation into his activities.
Chronology of a Digital Siege
The timeline of the Kimwolf saga highlights the sheer velocity at which modern botnets can evolve and the increasing efficacy of international law enforcement cooperation.
- Late 2025 – Early 2026: Kimwolf begins infecting millions of IoT devices, specifically targeting hardware usually isolated behind firewalls, such as web cameras and digital photo frames.
- January 2026: Synthient, led by Ben Brundage, discovers and mitigates a critical security flaw being exploited by Kimwolf. In response, Butler launches retaliatory swatting attacks against the startup’s founder.
- February 28, 2026: KrebsOnSecurity publishes evidence linking Jacob Butler (“Dort”) to the administration of the Kimwolf botnet.
- March 19, 2026: The definitive turning point. International law enforcement agencies execute a coordinated takedown, seizing the technical infrastructure for Kimwolf and three rival botnets: Aisuru, JackSkid, and Mossad. Simultaneously, the OPP executes a search warrant at Butler’s Ottawa residence, seizing a cache of digital devices.
- April 2026: The U.S. Department of Justice (DOJ) and European authorities seize nearly four-dozen domain names tied to “DDoS-for-hire” services, many of which had been utilizing the Kimwolf infrastructure to execute their illicit contracts.
- May 2026: The criminal complaint against Butler is unsealed in Alaska. Butler is arrested in Canada, awaiting an extradition hearing.
The Technical Anatomy of Kimwolf
Kimwolf was a force multiplier in the world of cyber-extortion. Unlike traditional botnets that might target servers or PCs, Kimwolf specialized in the “low-hanging fruit” of the modern home: the smart-device ecosystem.
Record-Breaking Volume
According to the U.S. Department of Justice, Kimwolf was linked to DDoS attacks that reached a staggering 30 Terabits per second—a figure that stands as a new record in documented attack volume. To put this in perspective, such volume is sufficient to knock major government infrastructure and entire regional ISPs offline simultaneously.
Weaponizing the DoD
The scale of the threat was such that it drew the attention of the Department of Defense (DoD). Kimwolf-led assaults targeted IP address ranges belonging to the DoD, triggering an investigation by the Defense Criminal Investigative Service (DCIS) with support from the FBI’s Anchorage field office. The botnet was not merely a hobbyist tool; it was an industrial-scale weapon that issued over 25,000 attack commands during its six-month operational window, causing millions of dollars in direct financial losses to its victims.
Official Responses and Legal Implications
The arrest of Butler has sent a clear message to the cybercrime community: the anonymity of the internet is not a permanent shield.
The Canadian Perspective
The Ontario Provincial Police have been aggressive in their pursuit of the case. Following the March 19 raid, Butler was charged with:
- Unauthorized use of a computer.
- Possession of a device to obtain unauthorized use of a computer system.
- Mischief in relation to computer data.
Butler remains in Canadian custody and is scheduled for a court hearing on May 26. The Canadian authorities have pledged full cooperation with the U.S. request for extradition.
The U.S. Stance
In the United States, Butler faces one count of aiding and abetting computer intrusion. If extradited and convicted, he faces a potential 10-year prison sentence. However, legal experts note that the U.S. Sentencing Guidelines offer a degree of flexibility for defendants who are young, lack a significant prior criminal history, or provide substantial cooperation to investigators.
“The collaboration between our international partners and the private sector was essential,” stated a DOJ representative. “When security firms like Synthient identify vulnerabilities, and when journalists shine a light on the perpetrators, it makes the job of law enforcement infinitely more effective.”
Implications for IoT Security
The Kimwolf case serves as a stark wake-up call for the technology industry regarding the security of Internet-of-Things devices. By exploiting devices that users rarely update or patch, botmasters like Butler created an army of millions that operated in the shadows.
For many, the relief is palpable. Ben Brundage, reflecting on the arrest of the man who targeted his company and his family, expressed a sentiment shared by many in the cybersecurity community: “Hopefully, this will finally end the harassment.”
A New Era of Enforcement
The dismantling of Kimwolf, alongside rival botnets like Aisuru and JackSkid, underscores a broader shift in how global authorities combat cybercrime. By targeting the “DDoS-for-hire” ecosystem, law enforcement is attacking the business model of cybercrime rather than just individual actors. By removing the infrastructure, they render the botnets useless, effectively starving the cyber-underground of the tools required to launch these massive, high-impact attacks.
As the case of United States v. Butler proceeds, the focus will likely remain on how a single individual, using readily available tools and a lack of moral restraint, was able to hold the digital architecture of a nation hostage. The collapse of the Kimwolf empire is a victory for law enforcement, but it also serves as a sobering reminder of how vulnerable the hyper-connected world remains.
