Canadian authorities have arrested a 23-year-old man suspected of operating the KimWolf IoT DDoS-for-hire botnet as part of a coordinated international investigation involving Canada, the United States, and Germany.
The suspect, Jacob Butler (alias “Dort”), is accused of developing and managing KimWolf, a large IoT-based botnet built from compromised devices, including webcams and digital photo frames. Investigators say the botnet infected more than one million devices worldwide and was offered as a cybercrime-as-a-service platform, allowing customers to launch distributed denial-of-service (DDoS) attacks at scale.
KimWolf was linked to high-volume DDoS campaigns targeting systems globally, including IP ranges associated with the U.S. Department of Defence Information Network (DoDIN). Authorities attribute attack peaks reaching nearly 30 Tbps to the botnet, placing it among the largest recorded volumetric DDoS events.
According to investigators, KimWolf carried out more than 25,000 attack commands before its command-and-control (C2) infrastructure was disrupted in a court-authorised operation in March 2026.
That same operation formed part of a wider crackdown on IoT botnets, including Aisuru, JackSkid, and Mossad, and led to the seizure of infrastructure tied to 45 DDoS-for-hire platforms. Many of these domains were redirected to law enforcement warning pages stating that DDoS services are illegal.
Butler was identified through a combination of IP address evidence, account records, transaction data, and chat logs obtained via legal process. He now faces one count of aiding and abetting computer intrusion in the United States, carrying a maximum sentence of 10 years, and is currently in custody in Canada pending extradition.
The broader picture is that two of the most recent record-breaking IoT botnets have now been disrupted, and arrests have been made. This is a positive development for defenders and shows that large-scale enforcement actions against DDoS infrastructure are increasingly coordinated and effective.
At the same time, experience from previous takedowns suggests that the ecosystem rarely stays quiet for long. When major botnets are dismantled, new operators and variants typically emerge to fill the gap. We are watching closely to see how the landscape develops.
