
Kimwolf
IoT botnet alleged to have enslaved over a million consumer devices and produced a record ~30 Tbps distributed denial-of-service flood targeting US Department of Defense address ranges.
Last refreshed: 29 May 2026 · Appears in 1 active topic
How did a million enslaved home devices manage a record 30 Tbps attack on the US military?
Timeline for Kimwolf
Kimwolf botmaster held over record DDoS
Cybersecurity: Threats and DefencesWhat was the Kimwolf botnet and how big was the attack?
Who was arrested for running the Kimwolf botnet?
How was the Kimwolf DDoS botnet taken down?
Background
Kimwolf was a large-scale distributed denial-of-service botnet composed of more than one million enslaved consumer devices, primarily home routers and IoT hardware with weak or default credentials. The botnet was used to launch a record-breaking attack of approximately 30 terabits per second — among the largest DDoS floods ever recorded — targeting United States Department of Defence network ranges. The infrastructure underpinning Kimwolf was seized on 19 March 2026 in a coordinated law enforcement operation that simultaneously neutralised three related botnets: Aisuru, JackSkid, and Mossad.
Jacob Butler, 23, of Ottawa, operating under the alias Dort, was arrested on 21 May 2026 by the Ontario Provincial Police. Butler faces charges in both the United States and Canada: in the US, aiding and abetting computer intrusion carries a maximum sentence of 10 years. Butler is alleged to have operated the Kimwolf botnet and to have targeted security researchers with swatting attacks.
The Kimwolf seizure and arrest are significant for two reasons. First, the ~30 Tbps flood demonstrates that consumer-grade IoT infrastructure can be weaponised to attack military-grade networks at record scale. Second, the simultaneous takedown of four distinct botnets suggests co-ordinated intelligence-sharing between the Five Eyes and Canadian law enforcement, establishing a template for rapid multi-botnet disruption operations.