7JUN

Kimwolf botmaster held over record DDoS

3 min read

10:08UTC

Ontario Provincial Police arrested Jacob Butler, 23, alleged operator of the Kimwolf botnet behind a record 30 Tbps flood on US Department of Defense ranges.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Seizing shared infrastructure in March cut four botnets at once; Butler's arrest followed two months later.

Jacob Butler, 23, of Ottawa and known online as "Dort", was arrested on Thursday 21 May 2026 by the Ontario Provincial Police and charged in both the United States and Canada; the US count is aiding and abetting computer intrusion, carrying up to ten years ¹. Butler is alleged to have run Kimwolf, an Internet-of-Things botnet that enslaved more than a million consumer devices, routers, cameras and similar, and registered a distributed-denial-of-service flood of roughly 30 terabits per second, claimed as a record volume.

The botnet targeted US Department of Defense address ranges, and some victims lost more than $1 million. Butler allegedly swatted the security researchers tracking him, sending armed police to their homes on false reports. The 30 Tbps figure reflects the device population more than operator skill: a million unpatched consumer devices is now enough raw bandwidth to threaten military address ranges, a supply problem no defender can patch their own way out of.

The Kimwolf infrastructure had already been seized on Thursday 19 March, alongside three competing botnets, Aisuru, JackSkid and Mossad. The arrest follows the same off-ramp logic as the E-Note exchange seizure : take down the shared infrastructure first, removing downstream attack capacity across four operators at once, then arrest the operator two months later once the evidence is consolidated. The order matters, because seizing the engine degrades dozens of attacks immediately, where an arrest alone leaves the botnet running.

Deep Analysis

In plain English

A botnet is a network of computers and internet-connected devices that have been secretly taken over by an attacker. The attacker uses them all at once to flood a target website or network with so much traffic that it stops working. This is called a Distributed Denial of Service attack, or DDoS. Kimwolf was an unusually large botnet: its alleged operator, 23-year-old Jacob Butler from Ottawa, Canada, is accused of enslaving over one million household devices, things like home routers and internet cameras, and directing them to generate a flood of internet traffic reaching about 30 terabits per second, which is an exceptionally large volume. The targets included US military network addresses. On 19 March 2026, US and Canadian authorities seized the Kimwolf infrastructure. On 21 May 2026, the Ontario Provincial Police arrested Butler and charged him in both the US and Canada. The US charge of aiding and abetting computer intrusion carries up to ten years in prison. The underlying problem is that most of the household devices pressed into these botnets never get security updates, so attackers can keep recruiting new devices even after one operator is arrested.

Deep Analysis

Root Causes

IoT device manufacturers shipping devices with default credentials, no automatic update mechanism, and no remote-attestation capability create a structurally renewable supply of enslaved endpoints that is independent of any individual botnet operator.

The economics are asymmetric: a 23-year-old operator in Ottawa can enslave one million devices at near-zero marginal cost because the devices are already internet-accessible and the credential scanning is automated; the cost to defenders of remediating one million individual devices is proportional to the device count and falls entirely on consumers and ISPs, not on the attacker.

The US DoD address-range targeting pattern is consistent with a DDoS-for-hire operation offering stress-testing services that implicitly or explicitly allow customers to target government infrastructure. The $1 million-plus in victim losses suggests Kimwolf operated at the commercial end of the IoT botnet market rather than as a hacktivist or state-directed actor.

The swatting of security researchers by the alleged operator is a documented counter-intelligence tactic in the cybercrime-as-a-service ecosystem, used to delay investigation and raise the personal risk for researchers who surface botnet infrastructure. The Ontario Provincial Police arrest followed a two-month gap after the March infrastructure seizure, consistent with using the seizure period to consolidate evidence that included swatting incidents as additional charges.

What could happen next?

Precedent
The infrastructure-seizure-then-arrest sequence, used here with Kimwolf (seized March, arrested May) and previously with E-Note (seized then operator charged), is establishing a consistent US-Canada joint enforcement template for cybercrime arrests where cross-border jurisdiction requires extended evidence consolidation.
Risk
The Mirai-lineage structural dynamic means that the one million compromised IoT devices that formed Kimwolf's capacity remain vulnerable to re-enslavement by a new operator using the same default-credential scanning tools, unless ISPs or device manufacturers take out-of-band remediation action.

Source Landscape

This story draws on neutral-leaning sources from United States

United States

Primary parallel: The original Mirai botnet, publicly released by its operators in September 2016 after a record 620 Gbps attack on security journalist Brian Krebs's site, followed the same structural model: enslaved consumer IoT devices exploited via default credentials, record DDoS volumes achieved through device-count scale rather than individual device bandwidth, and operators who were ultimately arrested by the FBI in December 2017 after a months-long infrastructure investigation.

The Mirai operators' decision to release the source code, however, meant that hundreds of Mirai-lineage variants (Emotet-style proliferation of the base) continued operating for years after the original operators were arrested, directly validating Georgia Tech's argument that device-population remediation is the missing element.

Counter-parallel: The 2022 takedown of the RaidForums DDoS marketplace, and the 2023 seizure of Cloudflare-attributed BreachForums, followed a different economic model where marketplaces intermediated DDoS capacity between botnet operators and paying customers.

Dismantling the marketplace disrupted the revenue mechanism that made IoT botnet operation economically rational, which reduced active operator count more sustainably than arresting individual operators. No equivalent marketplace takedown accompanied the Kimwolf infrastructure seizure.

Consensus view: Arbor Networks (NETSCOUT) DDoS threat intelligence research has tracked a consistent pattern since the original Mirai botnet in 2016: DDoS peak volumes are structurally driven by the global supply of unpatched consumer IoT devices rather than by individual operator capability. Kimwolf's claimed 30 Tbps peak illustrates this directly.

A botnet of one million enslaved devices each contributing an average of 30 Mbps outbound bandwidth reaches 30 Tbps of aggregate capacity regardless of the operator's technical sophistication. The devices themselves, typically home routers and IP cameras with default credentials and no automatic update mechanism, are the raw material; the operator is the logistics layer.

Counter-view: Georgia Tech's Cyber Forensics Lab research on botnet operator demographics argues that arrest-focused enforcement overestimates the deterrent effect because the IoT device population that forms Kimwolf's backbone persists after the operator is removed.

The devices remain compromised until individually reflashed or replaced, which the device owners will not do because they have no visibility into the compromise. A new operator can re-enslave the same devices within days of a seizure using the same default-credential scanning tools, making arrest without device-population remediation a partial solution.

Key tension: Whether law enforcement's infrastructure-seizure-then-arrest sequence (Kimwolf seized 19 March, Butler arrested 21 May) materially degrades DDoS-for-hire capacity when the underlying device population is renewable, or whether the sequence only removes the current operator while leaving the botnet infrastructure reconstructible by the next.

Sources:Krebs on Security

Mentions:Pentagon →Canada →E-Note →United States →Cloudflare →Kimwolf →Ontario Provincial Police →Aisuru →JackSkid →Krebs on Security →

First Reported In

Update #5 · GitHub's own code cloned via VS Code add-on

Krebs on Security· 29 May 2026

Read original →

Causes and effects

Caused by

Trump proposes $707m CISA cut, 860 jobs

Jacob Butler's arrest follows the same off-ramp logic as the E-Note exchange seizure: seize shared infrastructure first, then arrest the operator, removing downstream attack capacity at scale.

Occurred 7 Apr 2026

Read story →

This Event

Kimwolf botmaster held over record DDoS

The arrest follows shared infrastructure being seized two months earlier, removing attack capacity across four botnets before any operator was charged.

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.