ctipilot.ch

Kimwolf / 'Dort' DDoS-for-hire operator (Jacob Butler, 23, Ottawa) arrested; AISURU variant; 30+ Tbps peak; >25,000 attack commands; DoD-range targeting

incident · item:kimwolf-dort-jacob-butler-ddos-botnet-arrest-ottawa-aisuru-variant

Coverage timeline
1
first 2026-05-23 → last 2026-05-23
Briefs
1
1 distinct
Sources cited
5
5 hosts
Sections touched
1
active_threats
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-23CTI Daily Brief — 2026-05-23
    active_threatsOntario Provincial Police arrest 2026-05-19; U.S. DoJ unsealed complaint District of Alaska 2026-05-22. Butler operated Kimwolf — variant of AISURU — infecting digital photo frames, webcams via default credentials and known CVEs. >25,000 DDoS commands, 30–31.4 Tbps peak. Coordinated C2 takedown 2026-03-19 dismantled Kimwolf alongside AISURU/JackSkid/Mossad. Also conducted DDoS+swatting against researchers including Synthient's Ben Brundage. Up to 10 years on the U.S. federal charge.

Where this entity is cited

  • active_threats1

Source distribution

  • justice.gov1 (20%)
  • krebsonsecurity.com1 (20%)
  • thehackernews.com1 (20%)
  • therecord.media1 (20%)
  • bleepingcomputer.com1 (20%)

All cited sources (5)

Items in briefs about Kimwolf / 'Dort' DDoS-for-hire operator (Jacob Butler, 23, Ottawa) arrested; AISURU variant; 30+ Tbps peak; >25,000 attack commands; DoD-range targeting (1)

Kimwolf / "Dort" DDoS-for-hire operator arrested — 30+ Tbps IoT botnet, U.S. DoD-range targeting, AISURU variant

From CTI Daily Brief — 2026-05-23 · published 2026-05-23 · view item permalink →

Canadian authorities (Ontario Provincial Police) arrested Jacob Butler, 23, of Ottawa — alias Dort — earlier this week on a U.S. extradition warrant; the U.S. Department of Justice unsealed the criminal complaint in the District of Alaska on Thursday 2026-05-21 (U.S. Department of Justice, 2026-05-21 · KrebsOnSecurity, 2026-05-22 · The Record, 2026-05-22). Butler is alleged to have developed and operated Kimwolf, a DDoS-for-hire botnet assessed as a variant of AISURU. Kimwolf infected primarily consumer IoT — digital photo frames, webcams and other internet-exposed devices — via default credentials and known public CVEs, issued more than 25,000 DDoS attack commands, and peaked at nearly 30 Tbps per the DOJ and KrebsOnSecurity (The Hacker News reports the peak as 31.4 Tbps — the discrepancy is between the DOJ-cited figure used in the unsealed complaint and a secondary number cited by THN; treat the DOJ number as the reference for capacity-planning purposes). Targets included U.S. Department of Defense IP ranges and at least one victim with confirmed losses exceeding $1 million per incident. Kimwolf C2 infrastructure was seized 2026-03-19 in a coordinated multi-jurisdiction action alongside three sibling botnets — AISURU, JackSkid and Mossad — collectively infecting >3 million devices.

The complaint also documents that Butler conducted DDoS, doxing and swatting attacks against researchers who investigated him, including Synthient's Ben Brundage who had helped identify a Kimwolf-exploited vulnerability. Defender takeaway for Swiss and EU operators: the 30 Tbps capability is now demonstrably in range of a single operator's commercial service, and DDoS-for-hire infrastructure reorganises within weeks of takedowns. Re-baseline ISP scrubbing SLAs against a 10–30 Tbps reference, audit citizen-facing portals' application-layer rate limits, and segment consumer-grade IoT (frames, cameras, NVRs) off any path that touches critical infrastructure or admin networks.

Why it matters to us: Kimwolf belongs to the IoT-amplification class of botnets that target Swiss/EU public-sector portals; the arrest is an opportunity to re-test scrubbing capacity and IoT segmentation, not to assume the supply has shrunk.