US Charges Canadian Accused of Operating KimWolf DDoS-for-hire Network

Authorities in the United States and Canada have nabbed Jacob Butler, 23, from Ottawa, for running a large cyberattack-for-hire service. Butler, who goes by the “Dort” online, is about to be extradited to the US for trial.

The KimWolf botnet infected nearly two million devices globally and launched more than 25,000 attacks. Some of those attacks targeted U.S. military networks and caused losses of over $1 million for individual victims.

The Arrest and Charges

Canadian police picked Butler up in Ottawa on Wednesday. They acted under an extradition warrant. He is now heading to the United States to face justice.

The criminal complaint unsealed on Thursday in Alaska tells a wild tale. Investigators linked Butler to the KimWolf botnet using his IP address. They also tracked his online accounts, transaction records, and messaging logs.

Digital evidence from the investigation leaves no doubt, Butler’s the person behind the KimWolf botnet. Butler is facing charges for “aiding and abetting” computer hacks, and if found guilty, he could be behind bars for up to 10 years.

How KimWolf Made Money From Chaos

Based on the court filing, Butler ran KimWolf as a DDoS-for-hire service, kinda like cybercrime on demand. Pay him a fee, and he’d attack anyone you wanted. The targets included computers and servers all over the world.

And we’re not talking about small nuisances here. The KimWolf botnet pulled off DDoS attacks at speeds close to 30 terabits per second, the largest ever seen at the time. Butler ran this operation using the cybercrime-as-a-service model. He sold access to a massive network of enslaved devices. These weren’t just computers either.

His botnet infected digital photo frames, web cameras, Android-based TV boxes, and streaming devices. Anything with a weak password was fair game.

Researchers at cybersecurity firm Synthient tracked KimWolf’s growth. Back in January, they noted it had grown to almost 2 million devices. That happened after Butler started compromising Android gadgets.

He exploited flaws in residential proxy networks. The botnet generated about 12 million unique IP addresses each week. It also powered over 25,000 attacks. Some of those attacks hit Department of Defense Information Network IP addresses. Yes, the U.S. military itself got targeted.

The financial losses piled up fast. Some victims lost over $1 million each. That’s real money for real people and real businesses.

A Broader Move Against DDoS Attackers

The authorities didn’t just arrest Butler out of the blue. His arrest was part of a bigger fight to shut down DDoS-for-hire platforms. The Central District of California issued seizure warrants targeting 45 of these platforms, and many of them were successfully disrupted. At least one of those platforms worked directly with Butler’s KimWolf botnet.

The Justice Department said these seizures broadly disrupted the DDoS ecosystem. U.S. authorities also seized domain records for many of these services.

Visit those sites now, and you’ll find a warning “splash page.” It tells visitors that DDoS services are illegal. A nice little digital kiss goodbye for criminals.

The fight against botnets continues on multiple fronts. The KadNap botnet’s hijacking of Asus routers shows how decentralized networks pose ongoing challenges for law enforcement.

This arrest follows an even bigger international operation from March 2026. Back then, U.S., German, and Canadian authorities seized command-and-control servers.

Those servers ran KimWolf and three related botnets: JackSkid, Aisuru, and Mossad. Overall, all four networks compromised 3 million IoT devices, from IP webcams to WiFi routers, DVRs, and more. And the majority of those devices were located in the US.

So Butler now waits for extradition. His digital empire has crumbled. And 2 million infected devices can finally catch a break.