Canadian man arrested by international authorities, charged with administrating KimWolf DDoS botnet

ANCHORAGE, Alaska - A criminal complaint was unsealed in the District of Alaska today charging a Canadian man with operating the KimWolf Distributed Denial of Service (DDoS) Internet of Things (IoT) botnet. The U.S. complaint was unsealed following the defendant's arrest in Canada by Canadian authorities.

According to court documents, on April 10, 2026, U.S. authorities criminally charged Jacob Butler, aka "Dort," 23, of Ottawa, Canada, with offenses related to the development and operation of the KimWolf botnet. KimWolf was a DDoS-for-hire service which infected over a million devices worldwide, including devices located in Alaska. The complaint remained sealed pending Butler's arrest.

Following coordination with the U.S. Department of Justice and the Department of Defense Office of Inspector General's Defense Criminal Investigative Service (DCIS), Butler was taken into custody yesterday in Ottawa, Canada, pursuant to an extradition warrant.

In March 2026, U.S. authorities, in partnership with international law enforcement partners, conducted a court-authorized law enforcement operation to seize Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid and Mossad IoT botnets.

According to court documents, KimWolf targeted infected devices which were traditionally "firewalled" from the rest of the internet, such as digital photo frames and web cameras. The infected devices were enslaved by the botnet operators. The operators then used a "cybercrime as a service" model to sell access to the infected devices to other cybercriminals. The operators and their customers forced the victim devices to participate in DDoS attacks, targeting computers and servers located throughout the world, including Department of Defense Information Network (DoDIN) IP addresses.

KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume. These attacks resulted in financial losses which, for some victims, exceeded one million dollars. The KimWolf botnet is alleged to have issued over 25,000 attack commands.

Law enforcement allegedly connected Butler to the administration of the KimWolf botnet through IP address, online account information, transaction records, and online messaging application records obtained through the issuance of legal process.

In addition to Butler's arrest, the Central District of California unsealed seizure warrants which targeted online services supporting 45 DDoS-for-hire platforms. These seizures broadly disrupted the DDoS platforms, including at least one that collaborated with Butler's KimWolf botnet. U.S. authorities also seized domain records associated with many of these services, redirecting them to an authorized "splash page," which displays a warning to potential visitors that DDoS services are illegal.

Butler is charged with one count of aiding and abetting computer intrusion. If convicted, Butler faces up to 10 years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

U.S. Attorney Michael J. Heyman for the District of Alaska and Special Agent in Charge Kenneth DeChellis of the DCIS Cyber Field Office made the announcement.

DCIS is investigating the case, with assistance from the FBI Anchorage Field Office. The U.S. Attorney's Office for the Central District of California handled the recent infrastructure seizures.

International partners in this investigation included the Ontario Provincial Police, Sûreté du Québec, Royal Canadian Mounted Police and German Bundeskriminalamt (BKA).

Additionally, the U.S. Justice Department thanks Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Epieos, Google, Hydrolix, Lumen, Nokia, Oracle, PayPal, Registrar of Last Resort, Salesforce Counter-Threat Ops, The Shadowserver Foundation, Sony Interactive Entertainment, SpyCloud, Synthient, Team Cymru, Unit 221B, XLAB and EUROPOL's PowerOFF team for their assistance provided during this investigation and operation.

Assistant U.S. Attorney Adam Alexander is prosecuting the case.

If anyone has information on the alleged threats or other DDoS threats, please contact U.S. authorities at [email protected].

A criminal complaint is merely an allegation, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

###