Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
8MAY

Kimwolf botmaster held over record DDoS

3 min read
10:57UTC

Ontario Provincial Police arrested Jacob Butler, 23, alleged operator of the Kimwolf botnet behind a record 30 Tbps flood on US Department of Defense ranges.

TechnologyDeveloping
Key takeaway

Seizing shared infrastructure in March cut four botnets at once; Butler's arrest followed two months later.

Jacob Butler, 23, of Ottawa and known online as "Dort", was arrested on Thursday 21 May 2026 by the Ontario Provincial Police and charged in both the United States and Canada; the US count is aiding and abetting computer intrusion, carrying up to ten years 1. Butler is alleged to have run Kimwolf, an Internet-of-Things botnet that enslaved more than a million consumer devices, routers, cameras and similar, and registered a distributed-denial-of-service flood of roughly 30 terabits per second, claimed as a record volume.

The botnet targeted US Department of Defense address ranges, and some victims lost more than $1 million. Butler allegedly swatted the security researchers tracking him, sending armed police to their homes on false reports. The 30 Tbps figure reflects the device population more than operator skill: a million unpatched consumer devices is now enough raw bandwidth to threaten military address ranges, a supply problem no defender can patch their own way out of.

The Kimwolf infrastructure had already been seized on Thursday 19 March, alongside three competing botnets, Aisuru, JackSkid and Mossad. The arrest follows the same off-ramp logic as the E-Note exchange seizure : take down the shared infrastructure first, removing downstream attack capacity across four operators at once, then arrest the operator two months later once the evidence is consolidated. The order matters, because seizing the engine degrades dozens of attacks immediately, where an arrest alone leaves the botnet running.

Deep Analysis

In plain English

A botnet is a network of computers and internet-connected devices that have been secretly taken over by an attacker. The attacker uses them all at once to flood a target website or network with so much traffic that it stops working. This is called a Distributed Denial of Service attack, or DDoS. Kimwolf was an unusually large botnet: its alleged operator, 23-year-old Jacob Butler from Ottawa, Canada, is accused of enslaving over one million household devices, things like home routers and internet cameras, and directing them to generate a flood of internet traffic reaching about 30 terabits per second, which is an exceptionally large volume. The targets included US military network addresses. On 19 March 2026, US and Canadian authorities seized the Kimwolf infrastructure. On 21 May 2026, the Ontario Provincial Police arrested Butler and charged him in both the US and Canada. The US charge of aiding and abetting computer intrusion carries up to ten years in prison. The underlying problem is that most of the household devices pressed into these botnets never get security updates, so attackers can keep recruiting new devices even after one operator is arrested.

Deep Analysis
Root Causes

IoT device manufacturers shipping devices with default credentials, no automatic update mechanism, and no remote-attestation capability create a structurally renewable supply of enslaved endpoints that is independent of any individual botnet operator.

The economics are asymmetric: a 23-year-old operator in Ottawa can enslave one million devices at near-zero marginal cost because the devices are already internet-accessible and the credential scanning is automated; the cost to defenders of remediating one million individual devices is proportional to the device count and falls entirely on consumers and ISPs, not on the attacker.

The US DoD address-range targeting pattern is consistent with a DDoS-for-hire operation offering stress-testing services that implicitly or explicitly allow customers to target government infrastructure. The $1 million-plus in victim losses suggests Kimwolf operated at the commercial end of the IoT botnet market rather than as a hacktivist or state-directed actor.

The swatting of security researchers by the alleged operator is a documented counter-intelligence tactic in the cybercrime-as-a-service ecosystem, used to delay investigation and raise the personal risk for researchers who surface botnet infrastructure. The Ontario Provincial Police arrest followed a two-month gap after the March infrastructure seizure, consistent with using the seizure period to consolidate evidence that included swatting incidents as additional charges.

What could happen next?
  • Precedent

    The infrastructure-seizure-then-arrest sequence, used here with Kimwolf (seized March, arrested May) and previously with E-Note (seized then operator charged), is establishing a consistent US-Canada joint enforcement template for cybercrime arrests where cross-border jurisdiction requires extended evidence consolidation.

  • Risk

    The Mirai-lineage structural dynamic means that the one million compromised IoT devices that formed Kimwolf's capacity remain vulnerable to re-enslavement by a new operator using the same default-credential scanning tools, unless ISPs or device manufacturers take out-of-band remediation action.

First Reported In

Update #5 · GitHub's own code cloned via VS Code add-on

Krebs on Security· 29 May 2026
Read original
Causes and effects
This Event
Kimwolf botmaster held over record DDoS
The arrest follows shared infrastructure being seized two months earlier, removing attack capacity across four botnets before any operator was charged.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.