The 23-Year-Old Behind the Largest DDoS Botnet in History Just Got Arrested — 2 Million Devices, 30 Tbps Attacks

Kimwolf Botnet Operator ‘Dort’ Arrested in Ottawa

Canadian and U.S. authorities have arrested Jacob Butler, a 23-year-old Ottawa man known online as “Dort,” on suspicion of building and operating KimWolf — a massive Internet-of-Things botnet that enslaved nearly 2 million devices worldwide and launched some of the largest distributed denial-of-service attacks ever recorded. Butler was arrested in Ottawa on Wednesday pursuant to an extradition warrant and now faces criminal hacking charges in both Canada and the United States.

This arrest marks the takedown of what cybersecurity experts are calling the most prolific DDoS botnet of 2026. The KimWolf botnet was not just large — it was weaponized at a scale that set new records for attack volume, hitting targets with DDoS floods measured at nearly 30 terabits per second. To put that number in perspective, most enterprise DDoS mitigation services are designed to handle attacks in the low single-digit terabits range. A 30 Tbps attack is the kind of traffic that can overwhelm even the most robust internet infrastructure.

2 Million Devices and 30 Tbps DDoS Attacks: KimWolf’s Scale

The numbers behind KimWolf are staggering. According to Brian Krebs’ reporting, the botnet infected nearly 2 million devices worldwide over the course of approximately six months. These were not servers or desktop computers — they were IoT devices: digital photo frames, web cameras, smart home gadgets, and other internet-connected devices that most users never think to secure.

The resulting DDoS attacks were measured at nearly 30 Tbps — a new record in recorded DDoS attack volume. Previous record-holding attacks, including those attributed to Mirai variants and other IoT botnets, peaked in the range of 5 to 15 Tbps. KimWolf effectively doubled the upper bound of what was considered possible for botnet-driven DDoS.

The attack volume is especially remarkable because it was generated entirely by compromised consumer IoT devices. Each individual device contributes a relatively small amount of bandwidth, but when you aggregate 2 million of them, the combined traffic is enough to saturate the upstream links of major internet service providers and content delivery networks.

How KimWolf Enslaved IoT Devices That Nobody Thinks to Protect

KimWolf specifically targeted a category of IoT devices that are typically protected from direct internet exposure — but only in theory. Digital photo frames, web cameras, baby monitors, and similar consumer gadgets are often placed behind home routers but remain accessible through UPnP port forwarding, default credentials, or vulnerabilities in the devices’ firmware.

The botnet’s infection mechanism exploited a combination of known vulnerabilities in popular IoT device firmware and the universal problem of default passwords. Most consumers never change the default credentials on their web cameras or photo frames, and many IoT manufacturers ship devices with identical credentials across entire product lines. KimWolf’s scanning infrastructure could identify and compromise vulnerable devices within minutes of them being connected to the internet.

Once compromised, each device ran a lightweight malware agent that connected back to KimWolf’s command-and-control infrastructure. The malware was designed to be stealthy — it consumed minimal CPU and bandwidth during idle periods, making it virtually invisible to the device owner. Most victims had no idea their digital photo frame was participating in record-breaking cyberattacks against military and commercial targets.

DDoS-for-Hire: KimWolf’s Cybercrime-as-a-Service Business Model

KimWolf was not just a botnet — it was a business. Butler allegedly operated KimWolf as a DDoS-for-hire service, also known as a “booter” or “stresser” service. Customers could rent access to the botnet’s firepower, directing DDoS attacks against targets of their choosing for a fee.

According to The Hacker News, the cybercrime-as-a-service model gave customers access to infected systems that could be used for DDoS attacks against targets worldwide. The service reportedly offered different tiers of attack power and duration, with prices ranging from a few dollars for short, low-intensity attacks to significant sums for sustained, high-volume assaults.

This business model is what makes modern botnets so dangerous. The operator does not need to have a personal vendetta against every target — they just need customers willing to pay. The motivation for attacks can range from business competition (hiring a DDoS attack against a competitor) to extortion (threatening to take down a website unless payment is made) to simple vandalism. By commoditizing DDoS capability, services like KimWolf democratize cyberattack capacity and make it available to anyone with a credit card or cryptocurrency wallet.

KimWolf Attacked U.S. Department of Defense Network Addresses

In what may be the most consequential detail of the case, KimWolf’s DDoS attacks reportedly targeted IP addresses belonging to the Department of Defense Information Network (DoDIN). Attacking U.S. military network infrastructure is an extraordinarily serious offense that elevates this case well beyond typical cybercrime.

The targeting of DoDIN addresses raises questions about who KimWolf’s customers were and what their motivations might have been. While some DDoS-for-hire services explicitly prohibit attacks against government and military targets, others either do not enforce such restrictions or do not care. The fact that KimWolf facilitated attacks against Pentagon network infrastructure suggests either a lack of operational controls or a deliberate willingness to accept high-risk clients.

For Butler, the DoDIN targeting could significantly increase the severity of the charges and potential sentence. Attacking military networks is treated differently from attacking commercial websites, and prosecutors are likely to use this detail to argue for the maximum possible penalties.

Criminal Charges: Butler Faces Up to 10 Years in U.S. Prison

Butler has been charged with one count of aiding and abetting computer intrusion in the United States, which carries a maximum sentence of 10 years in prison. He also faces criminal hacking charges in Canada. The arrest was the result of a joint investigation involving U.S. and Canadian law enforcement agencies working together to identify and apprehend the botnet operator.

The extradition process adds another layer of complexity to the case. Butler was arrested pursuant to an extradition warrant, indicating that U.S. authorities are seeking to try him in American courts where the federal computer fraud charges carry stiffer penalties. Canada and the U.S. have a well-established extradition treaty for cybercrime cases, and recent precedents suggest that the extradition will proceed relatively smoothly.

At 23, Butler joins a growing list of young cybercriminals who built sophisticated attack infrastructure from their homes. The age and location of KimWolf’s operator is a reminder that critical cybersecurity threats do not always come from large criminal organizations or nation-states — sometimes they come from a single individual in their twenties with advanced technical skills and poor judgment.

The IoT Botnet Threat Is Getting Worse in 2026

KimWolf’s arrest does not solve the underlying problem. The number of IoT devices connected to the internet continues to grow exponentially, and the vast majority of them remain poorly secured. Estimates suggest there are now over 30 billion IoT devices connected to the internet globally, and the majority ship with default credentials, lack automatic update mechanisms, and run firmware with known vulnerabilities.

The KimWolf botnet infected 2 million of those devices. The next botnet could infect 20 million. The attack surface is growing faster than the industry’s ability to secure it, and legislative efforts to mandate IoT security standards have been slow and inconsistent across jurisdictions.

Until IoT manufacturers take security seriously — shipping devices with unique credentials, supporting automatic firmware updates, and implementing proper network segmentation by default — botnets like KimWolf will continue to emerge. The arrest of one operator is a win for law enforcement, but it is a band-aid on a systemic problem that requires an industry-wide response.

What This Arrest Means for the Future of Cybercrime

Butler’s arrest sends a clear message to DDoS-for-hire operators: law enforcement is watching, and international cooperation between agencies is more effective than ever. The joint U.S.-Canadian operation demonstrates that cybercriminals can no longer assume that operating from a different country provides effective protection from prosecution.

But the message only works if it is reinforced with meaningful consequences. Previous botnet operators have received sentences ranging from probation to several years in prison, and the deterrent effect depends on the severity of the punishment. With the targeting of military infrastructure in the mix, prosecutors have the ammunition to push for a strong sentence that could serve as a genuine deterrent.

For cybersecurity professionals, the KimWolf case is a case study in the evolving threat landscape. DDoS attacks are not going away — they are getting bigger, cheaper, and more accessible through as-a-service models. The 30 Tbps ceiling set by KimWolf will eventually be broken by the next botnet. The question is not whether it will happen, but whether our defenses will be ready when it does.