What is known#
Canadian authorities arrested a 23-year-old Ottawa man this week on suspicion of building and operating Kimwolf, an Internet-of-Things botnet accused of enslaving millions of devices and using them in large distributed denial-of-service attacks.
KrebsOnSecurity reports that the suspect, identified by authorities as Butler and by the alleged online handle “Dort,” now faces criminal hacking charges in both Canada and the United States. A criminal complaint was unsealed in an Alaska district court after the arrest in Canada by the Ontario Provincial Police, pursuant to a U.S. request.
According to the U.S. Justice Department statement cited by KrebsOnSecurity, Kimwolf infected devices such as digital photo frames and web cameras. The government says the botnet was rented to other cybercriminals and used in DDoS attacks, including attacks that affected Internet address ranges associated with the U.S. Department of Defense.
The Justice Department alleges that Kimwolf was tied to DDoS attacks measured at nearly 30 terabits per second. It also says some victims suffered financial losses exceeding one million dollars, and that the botnet issued more than 25,000 attack commands.
Those are government allegations at this stage. The case still has to move through court.
Why this case matters#
The important part is not only the arrest. It is the device class.
Kimwolf is alleged to have targeted ordinary networked hardware that many users do not treat like computers: cameras, frames, and other small connected devices. These systems are often bought once, configured once, and then forgotten. They may sit behind routers, expose services by mistake, run old firmware, or receive no meaningful security updates.
That makes them useful botnet material.
A compromised laptop is visible to its owner. It slows down. It throws errors. It breaks work. A compromised camera may keep doing its normal job while also joining attack traffic. The owner may never know.
That is why IoT botnets scale. They do not need every infected device to be powerful. They need many weak devices, spread across many networks, controlled at the same time.
The alleged Kimwolf activity also shows the business layer around DDoS infrastructure. The complaint and DOJ statement describe a botnet that was not only used by its operator, but also rented or made available for attacks by others. In practice, that turns insecure consumer and small-office hardware into a shared attack platform.
The enforcement timeline#
KrebsOnSecurity says it publicly identified the alleged operator in February 2026 after a campaign of DDoS, doxing, and swatting threats against the site’s author and a security researcher.
On March 19, U.S. authorities joined international law enforcement partners in seizing technical infrastructure for Kimwolf and three other large DDoS botnets. The source reports that these botnets were competing for the same pool of vulnerable devices.
The Ontario Provincial Police also said a search warrant was executed on March 19 at Butler’s Ottawa address, where multiple devices were seized. The arrest came this week. In Canada, Butler was charged with unauthorized use of a computer, possession of a device to obtain unauthorized use of a computer system or to commit mischief, and mischief in relation to computer data.
He was reported to be in Canadian custody pending a hearing scheduled for May 26.
In the United States, the complaint charges one count of aiding and abetting computer intrusion. KrebsOnSecurity notes that if Butler is extradited, tried, and convicted in a U.S. court, the charge could carry up to 10 years in prison. The article also correctly notes that statutory maximums are not predictions. Sentencing can be affected by guidelines and mitigating factors, including age, criminal history, and cooperation.
How investigators say they connected the accounts#
The criminal complaint, as summarized by KrebsOnSecurity, says investigators connected Butler to Kimwolf administration through IP address data, online account information, transaction records, and online messaging application records obtained through legal process.
KrebsOnSecurity also says the suspect did little to separate real-world and online identities, and that its February reporting linked the alleged operator through email addresses, cybercrime forum registrations, and public Telegram and Discord posts.
That is a common failure pattern in cybercrime cases. Operators may hide parts of their infrastructure but leave identity residue across accounts, payment trails, IP logs, social handles, or support conversations. A botnet can look technically distributed while the operator’s identity remains operationally concentrated.
The complaint’s claims still require proof. But the alleged evidence mix is not exotic. It is the normal seam between online action and offline identity.
The harassment and swatting allegation#
This case also includes a more dangerous non-technical layer.
KrebsOnSecurity reports that Dort continued to threaten and harass researchers who helped identify him and slow the spread of the botnet. The source says Dort claimed responsibility for at least two swatting attacks targeting Ben Brundage, founder of Synthient, a security startup that helped secure a critical weakness Kimwolf was using to spread.
Swatting is not a prank. It is an attempt to send armed police to a target’s home or workplace under false pretenses. It can kill people.
The article says the criminal complaint includes an excerpt detailing how Butler allegedly ordered a swatting attack against Brundage. Synthient was among the companies thanked by the Justice Department, and Brundage told KrebsOnSecurity that he was relieved Butler was in custody.
Those details matter because modern botnet cases are often not cleanly separated into “technical” and “personal” harm. The same ecosystem that runs DDoS attacks can also dox, threaten, extort, and intimidate people who interfere with the operation.
What not to overclaim#
There are several points to keep clean.
First, Butler is alleged to be the operator. Arrest, complaint, and charge are not conviction.
Second, the public reporting does not establish that every attack attributed to Kimwolf was personally initiated by the alleged operator. The government says the botnet was rented or used by other cybercriminals. That matters when assigning responsibility for individual attacks.
Third, large DDoS numbers can be real and still need careful interpretation. “Nearly 30 Tbps” describes attack volume as cited by DOJ. It does not, by itself, explain duration, mitigation impact, victim profile, or how much traffic reached final targets.
Fourth, the maximum U.S. prison exposure is not the likely sentence. It is the ceiling for the charged count under the described scenario of extradition, trial, and conviction.
What defenders can check now#
For ordinary users and small operators, the lesson is simple: treat connected devices as part of the attack surface.
Check devices that are easy to forget:
- IP cameras
- DVRs and NVRs
- digital photo frames
- home automation hubs
- old routers and Wi-Fi extenders
- printers and storage boxes
Replace default passwords. Remove port forwards that are no longer needed. Disable remote administration unless there is a clear reason for it. Update firmware where updates exist. If a device no longer receives updates and is reachable from the internet, retire it or isolate it.
For network operators, watch for outbound traffic patterns from embedded devices that should not be generating high-volume or unusual external connections. Inventory matters. If you do not know which devices are on the network, you cannot know which ones are being abused.
The Kimwolf case is a reminder that botnets do not need advanced endpoints. They need neglected ones. The weak device on a quiet network can become someone else’s weapon.