Canadian authorities arrested a 23-year-old Ottawa man accused of running the Kimwolf DDoS botnet. The US is now seeking extradition.
US authorities have charged 23-year-old Jacob Butler (aka “Dort”), an Ottawa resident, for allegedly operating the recently disrupted Kimwolf botnet. Authorities arrested the suspect in Canada, he could face up to 10 years in prison if convicted in the US.
Butler was charged with aiding and abetting computer intrusion. According to the Justice Department, investigators linked him to the botnet using IP addresses, account records, financial transactions, and messaging app data.
In January, Synthient researchers reported that the Kimwolf botnet has compromised more than 2 million Android devices, spreading primarily via residential proxy networks.
“According to court documents, on April 10, 2026, U.S. authorities criminally charged Jacob Butler, aka “Dort,” 23, of Ottawa, Canada, with offenses related to the development and operation of the KimWolf botnet. KimWolf was a DDoS-for-hire service which infected over a million devices worldwide, including devices located in Alaska.” reads the press release by DoJ. “The complaint remained sealed pending Butler’s arrest.”
In March, the U.S. DoJ disrupted command-and-control infrastructure used by several IoT botnets, including AISURU, Kimwolf, JackSkid, and Mossad. The operation involved authorities from Canada and Germany, along with major tech companies, to target botnet operators and weaken their global cybercrime activities.
“The U.S. Justice Department participated in a court-authorized law enforcement operation today to disrupt Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid and Mossad Internet of Things (IoT) botnets.” reads the press release published by DoJ.
“The operation was conducted simultaneously to law enforcement actions conducted in Canada and Germany, which targeted individuals who operated these botnets. The four botnets launched Distributed Denial of Service (DDoS) attacks targeting victims around the world. Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks.”
U.S. authorities seized domains, servers, and infrastructure used in cybercrime, including DDoS attacks targeting Department of Defense systems. The disrupted botnets had infected over 3 million devices worldwide, mainly IoT like cameras and routers, often bypassing firewall protections. Operators used a “cybercrime-as-a-service” model, renting access to these hijacked devices to launch large-scale DDoS attacks globally.
Victims reported heavy losses from DDoS attacks, with criminals launching hundreds of thousands of attacks and sometimes demanding extortion payments. The Aisuru botnet was used to launch over 200,000 attack commands, JackSkid 90,000, KimWolf 25,000, and Mossad over 1,000. The joint international operation aims to disrupt these botnets, stop further infections, and prevent future attacks.
Kimwolf is a newly discovered Android botnet linked to the Aisuru botnet that has infected over 2 million devices and issued more than 1.7 billion DDoS attack commands.
The Kimwol Android botnet primarily targets TV boxes, compiled using the NDK and equipped with DDoS, proxy forwarding, reverse shell, and file management functions. It encrypts sensitive data with a simple Stack XOR, uses DNS over TLS to hide communication, and authenticates C2 commands with elliptic curve digital signatures. Recent versions even incorporate EtherHiding to resist takedowns via blockchain domains.
Kimwolf follows a naming pattern of “niggabox + v[number]”; versions v4 and v5 have been tracked. By taking over one C2 domain, researchers observed around 2.7 million IPs interacting over three days, indicating a likely infection scale exceeding 1.8 million devices. Its infrastructure spans multiple C2s, global time zones, and versions, making it hard to estimate the total number of infections.
The botnet borrows the code from the Aisuru family, however, operators redesigned it to evade detection. Its primary function is traffic proxying, though it can execute massive DDoS attacks.
“Law enforcement allegedly connected Butler to the administration of the KimWolf botnet through IP address, online account information, transaction records, and online messaging application records obtained through the issuance of legal process.” continues DoJ. “In addition to Butler’s arrest, the Central District of California unsealed seizure warrants which targeted online services supporting 45 DDoS-for-hire platforms. These seizures broadly disrupted the DDoS platforms, including at least one that collaborated with Butler’s KimWolf botnet. U.S. authorities also seized domain records associated with many of these services, redirecting them to an authorized “splash page,” which displays a warning to potential visitors that DDoS services are illegal.”
Sentencing will be decided by a federal judge.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Kimwolf botnet)
