Inside the Arrest of the 23‑Year‑Old Operator Behind the World’s Largest DDoS Botnet

KimWolf Botnet: From Silent Growth to Industry Shock

KimWolf operated as a Cybercrime‑as‑a‑Service DDoS botnet, targeting IoT devices that are typically isolated from the Internet, such as network cameras, DVRs, digital photo frames, and Android‑based TV boxes. According to the U.S. Department of Justice, its attacks reached close to 30 Tbps, matching the record‑setting 31.4 Tbps attack by the Aisuru botnet.

Infected devices: ~2 million (KimWolf alone)

Total infected across related botnets: >3 million

Number of DDoS commands issued: >25,000

Maximum single‑attack traffic: ~30 Tbps

Weekly generated IP addresses: ~12 million

Reported victim losses: >$1 million

Operator “Dort” – Identity and Arrest

Security journalist Brian Krebs identified Jacob Butler (online alias “Dort”) in February 2026 by linking email registrations and Telegram/Discord activity to the botnet’s control accounts. Prior to his capture, Butler launched DDoS, doxing, and swatting attacks against researchers, including a swatting attempt on Synthient founder Ben Brundage.

Canadian authorities, acting on a U.S. extradition request, arrested Butler on 21 May 2026 in Ottawa. He faces three charges in Canada (unauthorized computer use, possession of devices for illegal access, and mischief to computer data) and a U.S. charge of aiding and abetting computer intrusion, carrying a potential ten‑year sentence.

Technical Dissection: How KimWolf Infected Millions of IoT Devices

Attack Vectors and Propagation

Analysis from court filings and security firms shows KimWolf leveraged vulnerabilities in residential proxy networks. By compromising proxy services, attackers injected malware into connected Android devices, enabling rapid, large‑scale infection.

IoT devices often lack regular firmware updates and ship with default weak credentials, making them ideal targets.

Command‑and‑Control and Monetization

KimWolf rented access to its botnet to other cybercriminals, who used it for targeted DDoS attacks, including assaults on U.S. Department of Defense IP ranges, prompting involvement from the Defense Criminal Investigative Service.

Domestic IoT Security Warning

Why China Is a Potential Hotspot

The Chinese market is saturated with cheap Android TV boxes, IP cameras, and smart‑home devices that commonly suffer from:

Default weak passwords (e.g., admin/admin)

Lack of firmware updates

Exposed remote‑management interfaces (Telnet/SSH, unencrypted RTSP)

Supply‑chain backdoors in pre‑installed software

These traits mirror KimWolf’s preferred targets, indicating a high risk of similar large‑scale botnets emerging locally.

Blue‑Team Defense Recommendations

Prevention

Segment IoT devices on separate VLANs to isolate them from core business networks.

Enforce change of default passwords and disable unnecessary remote services.

Include security assessments in procurement, favoring vendors that provide automatic firmware updates.

Detection

Deploy network traffic analysis tools to spot abnormal outbound DDoS patterns (e.g., SYN or UDP floods).

Monitor for high‑frequency requests from a small set of IP ranges, a hallmark of botnet IP rotation.

Integrate threat‑intel feeds to correlate known malicious C2 infrastructure.

Response

Maintain an up‑to‑date inventory of IoT assets for rapid isolation.

Conduct regular red‑team/blue‑team exercises to validate DDoS mitigation controls.

Adopt the NIST Cybersecurity Framework to build continuous security operations capability.

Implications and Lessons

The successful prosecution underscores the power of international cooperation against cybercrime, while also exposing deep vulnerabilities in the IoT ecosystem. When a 23‑year‑old can build a botnet of millions of devices, developers, manufacturers, and users must treat security as a foundational design principle rather than an afterthought.

For the Chinese security community, KimWolf is not a distant story but a reminder that every connected device can become a ticking time bomb if left unprotected.

References

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada – Krebs on Security, May 2026.

US and Canada arrest and charge suspected Kimwolf botnet admin – BleepingComputer, May 2026.

Canadian man arrested by international authorities, charged with administrating KimWolf DDoS botnet – U.S. Department of Justice, May 2026.