Canadian authorities have taken a significant step in the ongoing battle against cybercrime, announcing the arrest of a 23-year-old Ottawa man suspected of building and operating “Kimwolf,” a sophisticated botnet that has compromised millions of internet-connected devices. The suspect, identified in a criminal complaint unsealed in an Alaska district court as Jacob Butler—also known by the online handle “Dort”—is currently in Canadian custody awaiting a legal hearing scheduled for May 26, 2026.
The arrest follows an extensive investigation into the Kimwolf botnet, which has been linked to record-breaking distributed denial-of-service (DDoS) attacks. According to the U.S. Department of Justice, the botnet targeted devices typically considered “firewalled” from the broader internet, including web cameras and digital photo frames. These infected systems were allegedly leveraged to launch massive traffic floods, some of which were measured at nearly 30 Terabits per second, and were reportedly rented out to other cybercriminals for illicit activities.
The Scope of the Kimwolf Infrastructure
The investigation into Kimwolf has revealed a complex web of digital infrastructure used to facilitate large-scale disruption. The botnet is alleged to have issued more than 25,000 attack commands, resulting in substantial financial losses for victims, with some cases exceeding one million dollars. The U.S. Department of Justice stated that the botnet’s operations affected internet address ranges associated with the Department of Defense, prompting an investigation by the DoD’s Defense Criminal Investigative Service with support from the FBI’s Anchorage field office.
Kimwolf was part of a broader ecosystem of competing botnets. On March 19, 2026, U.S. Authorities, working alongside international partners, executed a coordinated effort to seize the technical infrastructure belonging to Kimwolf and three other major botnets: Aisuru, JackSkid, and Mossad. This effort sought to dismantle the command-and-control networks that allowed these groups to compete for vulnerable IoT devices.
Evidence and Legal Proceedings
Law enforcement officials connected Butler to the administration of Kimwolf through a combination of IP address logs, online account information, and transaction records. A criminal complaint unsealed in the United States highlights that the defendant often failed to adequately separate his personal identity from his online activities. Following a search warrant executed at his Ottawa residence on March 19, 2026, the Ontario Provincial Police seized multiple devices, leading to the current charges against him.
Butler faces several charges in Canada, including unauthorized use of a computer, possession of a device to obtain unauthorized use of a computer system, and mischief in relation to computer data. In the United States, he is charged with one count of aiding and abetting computer intrusion. If extradited and convicted in a U.S. Court, he could face a maximum sentence of up to 10 years in prison, though sentencing guidelines often account for mitigating factors such as the defendant’s age, lack of a prior criminal record, and potential cooperation with investigators.
The Human Cost of Cyber Harassment
Beyond the technical impact of the DDoS attacks, the investigation also uncovered a pattern of intimidation directed at security researchers. Reports indicate that the defendant engaged in doxing and swatting campaigns—the act of falsely reporting an emergency to trigger a heavy police response—against those who worked to identify his real-world identity. Among those targeted was the founder of Synthient, a security startup that played a key role in identifying the vulnerabilities that allowed Kimwolf to spread.
The Justice Department has formally acknowledged the contributions of various technology companies, including Synthient, for their assistance in the investigation. Ben Brundage, the founder of Synthient, expressed relief regarding the arrest, stating, “Hopefully this will end the harassment.”
What Happens Next
The legal process for Butler is moving forward on two fronts. In Canada, he is scheduled to remain in custody until at least May 26, 2026, when he is expected to appear for a court hearing. Meanwhile, the U.S. Department of Justice continues to process the extradition request related to the charges filed in the District of Alaska. This case serves as a stark reminder of the global nature of cybercrime and the increasingly collaborative efforts of international law enforcement to track individuals who operate across borders.
As this case develops, security experts encourage users to remain vigilant by updating the firmware on IoT devices, changing default passwords, and ensuring that devices not intended for public access are properly secured behind robust firewalls. We will continue to monitor the proceedings and provide updates as they become available.
Have you encountered suspicious activity related to IoT security in your organization? Share your experiences or questions in the comments section below.