OrganisationCA

Kimwolf

IoT botnet alleged to have enslaved over a million consumer devices and produced a record ~30 Tbps distributed denial-of-service flood targeting US Department of Defense address ranges.

Last refreshed: 29 May 2026 · Appears in 1 active topic

Key Question

How did a million enslaved home devices manage a record 30 Tbps attack on the US military?

Timeline for Kimwolf

#521 May

Kimwolf botmaster held over record DDoS

Cybersecurity: Threats and Defences

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

What was the Kimwolf botnet and how big was the attack?: Kimwolf was an IoT botnet of over one million devices that launched a record-breaking ~30 Tbps DDoS attack against US Department of Defence network ranges. Its infrastructure was seized on 19 March 2026.Source: cyber-threats-and-defences Update 416
Who was arrested for running the Kimwolf botnet?: Jacob Butler, 23, of Ottawa, alias 'Dort', was arrested by Ontario Provincial Police on 21 May 2026. He faces US charges of aiding and abetting computer intrusion, with a maximum sentence of 10 years.Source: event
How was the Kimwolf DDoS botnet taken down?: Law enforcement seized Kimwolf's infrastructure on 19 March 2026, simultaneously neutralising three related botnets (Aisuru, JackSkid, Mossad). The operation reflected coordinated intelligence-sharing between US and Canadian agencies.Source: event
What is a 30 Tbps DDoS attack and is it a record?: A 30 terabit-per-second DDoS flood overwhelms target infrastructure by saturating network links with junk traffic at a volume roughly equivalent to streaming 10 million HD videos simultaneously. The ~30 Tbps Kimwolf attack is among the largest ever publicly reported.Source: event

Background

Kimwolf was a large-scale distributed denial-of-service botnet composed of more than one million enslaved consumer devices, primarily home routers and IoT hardware with weak or default credentials. The botnet was used to launch a record-breaking attack of approximately 30 terabits per second — among the largest DDoS floods ever recorded — targeting United States Department of Defence network ranges. The infrastructure underpinning Kimwolf was seized on 19 March 2026 in a coordinated law enforcement operation that simultaneously neutralised three related botnets: Aisuru, JackSkid, and Mossad.

Jacob Butler, 23, of Ottawa, operating under the alias Dort, was arrested on 21 May 2026 by the Ontario Provincial Police. Butler faces charges in both the United States and Canada: in the US, aiding and abetting computer intrusion carries a maximum sentence of 10 years. Butler is alleged to have operated the Kimwolf botnet and to have targeted security researchers with swatting attacks.

The Kimwolf seizure and arrest are significant for two reasons. First, the ~30 Tbps flood demonstrates that consumer-grade IoT infrastructure can be weaponised to attack military-grade networks at record scale. Second, the simultaneous takedown of four distinct botnets suggests co-ordinated intelligence-sharing between the Five Eyes and Canadian law enforcement, establishing a template for rapid multi-botnet disruption operations.

Source Material

Botnet — Wikipedia

How the World Sees Them

Canada

Canadian law enforcement (Ontario Provincial Police) led the domestic arrest; Canada faces pressure to demonstrate alignment with US cyber-enforcement priorities.

IoT industry

The botnet's scale — one million consumer devices — highlights persistent failures in default-credential security and device lifecycle patching; regulatory momentum for mandatory IoT security standards is increasing.

United States

The targeting of DoD network ranges marks an escalation in botnet ambition; the US is seeking extradition of the alleged operator and has charged under computer-intrusion statutes.