14JUN

Kimwolf botmaster held over record DDoS

3 min read

11:51UTC

Ontario Provincial Police arrested Jacob Butler, 23, alleged operator of the Kimwolf botnet behind a record 30 Tbps flood on US Department of Defense ranges.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

Seizing shared infrastructure in March cut four botnets at once; Butler's arrest followed two months later.

Jacob Butler, 23, of Ottawa and known online as "Dort", was arrested on Thursday 21 May 2026 by the Ontario Provincial Police and charged in both the United States and Canada; the US count is aiding and abetting computer intrusion, carrying up to ten years ¹. Butler is alleged to have run Kimwolf, an Internet-of-Things botnet that enslaved more than a million consumer devices, routers, cameras and similar, and registered a distributed-denial-of-service flood of roughly 30 terabits per second, claimed as a record volume.

The botnet targeted US Department of Defense address ranges, and some victims lost more than $1 million. Butler allegedly swatted the security researchers tracking him, sending armed police to their homes on false reports. The 30 Tbps figure reflects the device population more than operator skill: a million unpatched consumer devices is now enough raw bandwidth to threaten military address ranges, a supply problem no defender can patch their own way out of.

The Kimwolf infrastructure had already been seized on Thursday 19 March, alongside three competing botnets, Aisuru, JackSkid and Mossad. The arrest follows the same off-ramp logic as the E-Note exchange seizure : take down the shared infrastructure first, removing downstream attack capacity across four operators at once, then arrest the operator two months later once the evidence is consolidated. The order matters, because seizing the engine degrades dozens of attacks immediately, where an arrest alone leaves the botnet running.

Deep Analysis

In plain English

A botnet is a network of computers and internet-connected devices that have been secretly taken over by an attacker. The attacker uses them all at once to flood a target website or network with so much traffic that it stops working. This is called a Distributed Denial of Service attack, or DDoS. Kimwolf was an unusually large botnet: its alleged operator, 23-year-old Jacob Butler from Ottawa, Canada, is accused of enslaving over one million household devices, things like home routers and internet cameras, and directing them to generate a flood of internet traffic reaching about 30 terabits per second, which is an exceptionally large volume. The targets included US military network addresses. On 19 March 2026, US and Canadian authorities seized the Kimwolf infrastructure. On 21 May 2026, the Ontario Provincial Police arrested Butler and charged him in both the US and Canada. The US charge of aiding and abetting computer intrusion carries up to ten years in prison. The underlying problem is that most of the household devices pressed into these botnets never get security updates, so attackers can keep recruiting new devices even after one operator is arrested.

Deep Analysis

Root Causes

IoT device manufacturers shipping devices with default credentials, no automatic update mechanism, and no remote-attestation capability create a structurally renewable supply of enslaved endpoints that is independent of any individual botnet operator.

The economics are asymmetric: a 23-year-old operator in Ottawa can enslave one million devices at near-zero marginal cost because the devices are already internet-accessible and the credential scanning is automated; the cost to defenders of remediating one million individual devices is proportional to the device count and falls entirely on consumers and ISPs, not on the attacker.

The US DoD address-range targeting pattern is consistent with a DDoS-for-hire operation offering stress-testing services that implicitly or explicitly allow customers to target government infrastructure. The $1 million-plus in victim losses suggests Kimwolf operated at the commercial end of the IoT botnet market rather than as a hacktivist or state-directed actor.

The swatting of security researchers by the alleged operator is a documented counter-intelligence tactic in the cybercrime-as-a-service ecosystem, used to delay investigation and raise the personal risk for researchers who surface botnet infrastructure. The Ontario Provincial Police arrest followed a two-month gap after the March infrastructure seizure, consistent with using the seizure period to consolidate evidence that included swatting incidents as additional charges.

What could happen next?

Precedent
The infrastructure-seizure-then-arrest sequence, used here with Kimwolf (seized March, arrested May) and previously with E-Note (seized then operator charged), is establishing a consistent US-Canada joint enforcement template for cybercrime arrests where cross-border jurisdiction requires extended evidence consolidation.
Risk
The Mirai-lineage structural dynamic means that the one million compromised IoT devices that formed Kimwolf's capacity remain vulnerable to re-enslavement by a new operator using the same default-credential scanning tools, unless ISPs or device manufacturers take out-of-band remediation action.

Source Landscape

This story draws on neutral-leaning sources from United States

United States

Primary parallel: The original Mirai botnet, publicly released by its operators in September 2016 after a record 620 Gbps attack on security journalist Brian Krebs's site, followed the same structural model: enslaved consumer IoT devices exploited via default credentials, record DDoS volumes achieved through device-count scale rather than individual device bandwidth, and operators who were ultimately arrested by the FBI in December 2017 after a months-long infrastructure investigation.

The Mirai operators' decision to release the source code, however, meant that hundreds of Mirai-lineage variants (Emotet-style proliferation of the base) continued operating for years after the original operators were arrested, directly validating Georgia Tech's argument that device-population remediation is the missing element.

Counter-parallel: The 2022 takedown of the RaidForums DDoS marketplace, and the 2023 seizure of Cloudflare-attributed BreachForums, followed a different economic model where marketplaces intermediated DDoS capacity between botnet operators and paying customers.

Dismantling the marketplace disrupted the revenue mechanism that made IoT botnet operation economically rational, which reduced active operator count more sustainably than arresting individual operators. No equivalent marketplace takedown accompanied the Kimwolf infrastructure seizure.

Consensus view: Arbor Networks (NETSCOUT) DDoS threat intelligence research has tracked a consistent pattern since the original Mirai botnet in 2016: DDoS peak volumes are structurally driven by the global supply of unpatched consumer IoT devices rather than by individual operator capability. Kimwolf's claimed 30 Tbps peak illustrates this directly.

A botnet of one million enslaved devices each contributing an average of 30 Mbps outbound bandwidth reaches 30 Tbps of aggregate capacity regardless of the operator's technical sophistication. The devices themselves, typically home routers and IP cameras with default credentials and no automatic update mechanism, are the raw material; the operator is the logistics layer.

Counter-view: Georgia Tech's Cyber Forensics Lab research on botnet operator demographics argues that arrest-focused enforcement overestimates the deterrent effect because the IoT device population that forms Kimwolf's backbone persists after the operator is removed.

The devices remain compromised until individually reflashed or replaced, which the device owners will not do because they have no visibility into the compromise. A new operator can re-enslave the same devices within days of a seizure using the same default-credential scanning tools, making arrest without device-population remediation a partial solution.

Key tension: Whether law enforcement's infrastructure-seizure-then-arrest sequence (Kimwolf seized 19 March, Butler arrested 21 May) materially degrades DDoS-for-hire capacity when the underlying device population is renewable, or whether the sequence only removes the current operator while leaving the botnet infrastructure reconstructible by the next.

Sources:Krebs on Security

Mentions:Pentagon →Canada →E-Note →United States →Cloudflare →Kimwolf →Ontario Provincial Police →Aisuru →JackSkid →Krebs on Security →

First Reported In

Update #5 · GitHub's own code cloned via VS Code add-on

Krebs on Security· 29 May 2026

Read original →

Causes and effects

Caused by

Trump proposes $707m CISA cut, 860 jobs

Jacob Butler's arrest follows the same off-ramp logic as the E-Note exchange seizure: seize shared infrastructure first, then arrest the operator, removing downstream attack capacity at scale.

Occurred 7 Apr 2026

Read story →

This Event

Kimwolf botmaster held over record DDoS

The arrest follows shared infrastructure being seized two months earlier, removing attack capacity across four botnets before any operator was charged.

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.