Canadian national Jacob Butler, 23, was arrested Wednesday in Ottawa on charges of administering Kimwolf, one of the largest distributed denial-of-service (DDoS) botnets ever documented. The Justice Department unsealed charges Thursday showing Butler, operating under the alias "Dort," served as a principal administrator of the botnet that infected more than 2 million Android TV devices. He awaits extradition to the United States where he faces charges of aiding and abetting computer intrusions, carrying a maximum sentence of 10 years in prison.

Kimwolf operated as a variant of the Aisuru botnet and functioned as a DDoS-for-hire service available to other cybercriminals. The botnet's operators exploited residential proxy networks to gain local control over infected devices, allowing the malware to spread rapidly across consumer electronics. Authorities linked Kimwolf to more than 25,000 separate DDoS attacks that caused network outages, service disruptions, and financial losses exceeding millions of dollars. Investigators also discovered evidence connecting the botnet to attacks targeting Department of Defense Information Network IP addresses.

Law enforcement identified Butler through operational security failures that revealed patterns of IP address usage across multiple accounts. A Defense Criminal Investigative Service special agent traced the same IP addresses to Butler's personal Google accounts, other accounts believed to be under his control based on matching machine cookies, and Discord accounts used to manage Kimwolf operations. While Butler attempted to mask his activities using proxy and VPN services, inconsistent use of these tools allowed investigators to establish his identity and link him directly to the botnet infrastructure.

In March, authorities conducted a globally coordinated operation that seized infrastructure powering Kimwolf, Aisuru, JackSkid, and Mossad botnets, which collectively hijacked 3 million devices and launched over 300,000 DDoS attacks. Officials searched Butler's residence during that operation but delayed his arrest until Wednesday, approximately two months later. The criminal complaint was filed in U.S. District Court for the District of Alaska in April and remained sealed until his arrest.

Despite the March takedown, court records indicate the Kimwolf botnet has returned to operation, highlighting persistent challenges in combating IoT-based threats. Security researchers warn that hundreds of millions of insecure Internet of Things and network devices remain connected to government, corporate, and residential networks, providing ongoing targets for threat actors. Without addressing fundamental security weaknesses in these devices, experts predict continued cycles of botnet creation and takedown operations.

Source: https://cyberscoop.com/kimwolf-botnet-alleged-administrator-jacob-butler-arrested-canada/