29MAY

Kimwolf botmaster held over record DDoS

3 min read

14:17UTC

Ontario Provincial Police arrested Jacob Butler, 23, alleged operator of the Kimwolf botnet behind a record 30 Tbps flood on US Department of Defense ranges.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Seizing shared infrastructure in March cut four botnets at once; Butler's arrest followed two months later.

Jacob Butler, 23, of Ottawa and known online as "Dort", was arrested on Thursday 21 May 2026 by the Ontario Provincial Police and charged in both the United States and Canada; the US count is aiding and abetting computer intrusion, carrying up to ten years ¹. Butler is alleged to have run Kimwolf, an Internet-of-Things botnet that enslaved more than a million consumer devices, routers, cameras and similar, and registered a distributed-denial-of-service flood of roughly 30 terabits per second, claimed as a record volume.

The botnet targeted US Department of Defense address ranges, and some victims lost more than $1 million. Butler allegedly swatted the security researchers tracking him, sending armed police to their homes on false reports. The 30 Tbps figure reflects the device population more than operator skill: a million unpatched consumer devices is now enough raw bandwidth to threaten military address ranges, a supply problem no defender can patch their own way out of.

The Kimwolf infrastructure had already been seized on Thursday 19 March, alongside three competing botnets, Aisuru, JackSkid and Mossad. The arrest follows the same off-ramp logic as the E-Note exchange seizure : take down the shared infrastructure first, removing downstream attack capacity across four operators at once, then arrest the operator two months later once the evidence is consolidated. The order matters, because seizing the engine degrades dozens of attacks immediately, where an arrest alone leaves the botnet running.

Deep Analysis

In plain English

A botnet is a network of computers and internet-connected devices that have been secretly taken over by an attacker. The attacker uses them all at once to flood a target website or network with so much traffic that it stops working. This is called a Distributed Denial of Service attack, or DDoS. Kimwolf was an unusually large botnet: its alleged operator, 23-year-old Jacob Butler from Ottawa, Canada, is accused of enslaving over one million household devices, things like home routers and internet cameras, and directing them to generate a flood of internet traffic reaching about 30 terabits per second, which is an exceptionally large volume. The targets included US military network addresses. On 19 March 2026, US and Canadian authorities seized the Kimwolf infrastructure. On 21 May 2026, the Ontario Provincial Police arrested Butler and charged him in both the US and Canada. The US charge of aiding and abetting computer intrusion carries up to ten years in prison. The underlying problem is that most of the household devices pressed into these botnets never get security updates, so attackers can keep recruiting new devices even after one operator is arrested.

Deep Analysis

Root Causes

IoT device manufacturers shipping devices with default credentials, no automatic update mechanism, and no remote-attestation capability create a structurally renewable supply of enslaved endpoints that is independent of any individual botnet operator.

The economics are asymmetric: a 23-year-old operator in Ottawa can enslave one million devices at near-zero marginal cost because the devices are already internet-accessible and the credential scanning is automated; the cost to defenders of remediating one million individual devices is proportional to the device count and falls entirely on consumers and ISPs, not on the attacker.

The US DoD address-range targeting pattern is consistent with a DDoS-for-hire operation offering stress-testing services that implicitly or explicitly allow customers to target government infrastructure. The $1 million-plus in victim losses suggests Kimwolf operated at the commercial end of the IoT botnet market rather than as a hacktivist or state-directed actor.

The swatting of security researchers by the alleged operator is a documented counter-intelligence tactic in the cybercrime-as-a-service ecosystem, used to delay investigation and raise the personal risk for researchers who surface botnet infrastructure. The Ontario Provincial Police arrest followed a two-month gap after the March infrastructure seizure, consistent with using the seizure period to consolidate evidence that included swatting incidents as additional charges.

What could happen next?

Precedent
The infrastructure-seizure-then-arrest sequence, used here with Kimwolf (seized March, arrested May) and previously with E-Note (seized then operator charged), is establishing a consistent US-Canada joint enforcement template for cybercrime arrests where cross-border jurisdiction requires extended evidence consolidation.
Risk
The Mirai-lineage structural dynamic means that the one million compromised IoT devices that formed Kimwolf's capacity remain vulnerable to re-enslavement by a new operator using the same default-credential scanning tools, unless ISPs or device manufacturers take out-of-band remediation action.

Source Landscape

This story draws on neutral-leaning sources from United States

United States

Primary parallel: The original Mirai botnet, publicly released by its operators in September 2016 after a record 620 Gbps attack on security journalist Brian Krebs's site, followed the same structural model: enslaved consumer IoT devices exploited via default credentials, record DDoS volumes achieved through device-count scale rather than individual device bandwidth, and operators who were ultimately arrested by the FBI in December 2017 after a months-long infrastructure investigation.

The Mirai operators' decision to release the source code, however, meant that hundreds of Mirai-lineage variants (Emotet-style proliferation of the base) continued operating for years after the original operators were arrested, directly validating Georgia Tech's argument that device-population remediation is the missing element.

Counter-parallel: The 2022 takedown of the RaidForums DDoS marketplace, and the 2023 seizure of Cloudflare-attributed BreachForums, followed a different economic model where marketplaces intermediated DDoS capacity between botnet operators and paying customers.

Dismantling the marketplace disrupted the revenue mechanism that made IoT botnet operation economically rational, which reduced active operator count more sustainably than arresting individual operators. No equivalent marketplace takedown accompanied the Kimwolf infrastructure seizure.

Consensus view: Arbor Networks (NETSCOUT) DDoS threat intelligence research has tracked a consistent pattern since the original Mirai botnet in 2016: DDoS peak volumes are structurally driven by the global supply of unpatched consumer IoT devices rather than by individual operator capability. Kimwolf's claimed 30 Tbps peak illustrates this directly.

A botnet of one million enslaved devices each contributing an average of 30 Mbps outbound bandwidth reaches 30 Tbps of aggregate capacity regardless of the operator's technical sophistication. The devices themselves, typically home routers and IP cameras with default credentials and no automatic update mechanism, are the raw material; the operator is the logistics layer.

Counter-view: Georgia Tech's Cyber Forensics Lab research on botnet operator demographics argues that arrest-focused enforcement overestimates the deterrent effect because the IoT device population that forms Kimwolf's backbone persists after the operator is removed.

The devices remain compromised until individually reflashed or replaced, which the device owners will not do because they have no visibility into the compromise. A new operator can re-enslave the same devices within days of a seizure using the same default-credential scanning tools, making arrest without device-population remediation a partial solution.

Key tension: Whether law enforcement's infrastructure-seizure-then-arrest sequence (Kimwolf seized 19 March, Butler arrested 21 May) materially degrades DDoS-for-hire capacity when the underlying device population is renewable, or whether the sequence only removes the current operator while leaving the botnet infrastructure reconstructible by the next.

Sources:Krebs on Security

Mentions:Pentagon →Canada →E-Note →United States →Cloudflare →Kimwolf →Ontario Provincial Police →Aisuru →JackSkid →Krebs on Security →

First Reported In

Update #5 · GitHub's own code cloned via VS Code add-on

Krebs on Security· 29 May 2026

Read original →

Causes and effects

Caused by

Trump proposes $707m CISA cut, 860 jobs

Jacob Butler's arrest follows the same off-ramp logic as the E-Note exchange seizure: seize shared infrastructure first, then arrest the operator, removing downstream attack capacity at scale.

Occurred 7 Apr 2026

Read story →

This Event

Kimwolf botmaster held over record DDoS

The arrest follows shared infrastructure being seized two months earlier, removing attack capacity across four botnets before any operator was charged.

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.