CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Kimwolf Botmaster 'Dort' Linked to Cybercrime Activities

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Jacob Butler, a 23-year-old Canadian residing in Ottawa, has been arrested for operating the Kimwolf DDoS botnet, a variant of the AisURU botnet. Butler, known online as 'Dort,' faces a charge of aiding and abetting computer intrusion in the US, with potential penalties of up to 10 years in prison if convicted. The botnet enslaved approximately 2 million devices, primarily Android-based and traditionally 'firewalled' consumer hardware like digital photo frames and web cameras, and operated as an Android-focused successor to the Aisuru botnet. Kimwolf propagated via residential proxy networks to expand its reach and was used in cybercrime-as-a-service operations, selling access for DDoS attacks—including against Department of Defense IP addresses—peaking at 31.4 Tbps. The Kimwolf botnet emerged from a vulnerability disclosed in January 2026 and became the world’s largest and most disruptive botnet. Butler has been linked to cybercrime activities dating back to at least 2017, including DDoS attacks, doxing, email flooding, and ties to the LAPSUS$ group. Investigations revealed his involvement in Minecraft cheating software, CAPTCHA bypass tools, and temporary email services. On March 11, 2026, authorities disrupted Kimwolf and Aisuru as part of a coordinated operation in Canada and Germany, though no arrests were disclosed at the time. The US Justice Department later announced Butler’s arrest in Ottawa and unsealed seizure warrants for 45 DDoS-for-hire platforms, including one collaborating with Kimwolf.

Timeline

  1. 28.02.2026 14:01 3 articles · 2mo ago

    Kimwolf Botmaster 'Dort' Linked to Cybercrime Activities

    In January 2026, a security researcher disclosed a vulnerability that was used to build the Kimwolf botnet. The botmaster, known as 'Dort,' has been linked to various cybercrime activities, including DDoS attacks, doxing, and email flooding. Dort has also been connected to the cybercrime group LAPSUS$ and has used multiple aliases such as 'CPacket' and 'M1ce.' The investigation reveals Dort's involvement in Minecraft cheating software and the development of tools for bypassing CAPTCHA services and creating temporary email addresses. Dort's real identity is suspected to be Jacob Butler, a resident of Ottawa, Canada. On March 11, 2026, authorities disrupted the Kimwolf botnet as part of a coordinated operation targeting botnet administrators and infrastructure in Canada and Germany; no arrests were disclosed at the time. Kimwolf, identified as an Android-focused successor to the Aisuru botnet, enslaved approximately 2 million devices, primarily leveraging residential proxy networks to expand its reach. Kimwolf targeted traditionally 'firewalled' devices such as digital photo frames and web cameras, enslaving them for DDoS attacks. The botnet operated using a 'cybercrime-as-a-service' model, selling access to infected devices to other cybercriminals for DDoS attacks targeting global systems, including Department of Defense Information Network (DoDIN) IP addresses, with peak traffic reaching 31.4 Tbps. On May 22, 2026, U.S. authorities arrested Jacob Butler, also known as Dort, in Ottawa, Canada, for operating the Kimwolf DDoS botnet. The arrest followed a U.S. extradition request. Court documents linked Butler to the administration of Kimwolf via IP address, online account information, transaction records, and Discord message records. Seizure warrants were unsealed for 45 DDoS-for-hire platforms, including one collaborating with Kimwolf. Butler faces a charge of aiding and abetting computer intrusion, with a potential sentence of up to 10 years in prison if convicted.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Disruption of 53 DDoS-for-hire domains in global law enforcement operation

Law enforcement agencies from 21 countries executed Operation PowerOff, a coordinated takedown of 53 domains linked to DDoS-for-hire services. Four individuals were arrested, 25 search warrants executed, and over 3 million criminal user accounts exposed. Infrastructure was seized to disrupt ongoing attacks, and 75,000 warning communications were sent to identified service users. The operation expanded into a prevention phase targeting remaining online resources, including the removal of over 100 URLs from search engines and warnings placed on cryptocurrency and blockchain platforms used by cybercriminals. Europol described DDoS-for-hire services as one of the most accessible cybercrime trends, enabling low-skilled attackers to execute disruptive attacks.

Open in new tab

APT28 DNS hijacking campaigns via compromised SOHO routers observed in 2025–2026 targeting credential theft

APT28 (GRU GTsSS Military Unit 26165) has conducted opportunistic DNS hijacking campaigns since at least August 2025 by compromising small office/home office (SOHO) routers—primarily TP-Link models such as WR841N—to redirect victim traffic through attacker-controlled DNS servers and steal credentials. The campaign peaked in December 2025, compromising over 18,000 networks, including 200 organizations and 5,000 consumer devices, and specifically targeted government agencies such as ministries of foreign affairs, law enforcement, and third-party email providers. TP-Link routers were likely exploited via CVE-2023-50224 to retrieve credentials, which were used in adversary-in-the-middle attacks against browser sessions and desktop applications to harvest credentials for web and email services. APT28 operates a persistent infrastructure of VPSs repurposed as malicious DNS servers, receiving DNS requests from exploited routers and enabling opportunistic triage to identify high-value targets. Microsoft reported this is the first time APT28 has used DNS hijacking at scale to support post-compromise adversary-in-the-middle (AiTM) attacks on TLS connections against Microsoft Outlook on the web domains, intercepting OAuth authentication tokens after successful MFA authentication without requiring additional malware on compromised routers. On April 7, 2026, US authorities dismantled APT28’s US-based DNS hijacking network as part of ‘Operation Masquerade,’ neutralizing compromised routers across 23 states. The operation, led by the FBI and authorized by a court, reset DNS settings on affected TP-Link routers to restore legitimate DNS resolvers from ISPs without impacting functionality or collecting user content. The FBI is working with ISPs to notify affected users and urges router owners to replace outdated devices, update firmware, and verify DNS settings to prevent further exploitation.

Open in new tab

Aisuru botnet conducts record-breaking DDoS attacks, targeting U.S. ISPs and Microsoft Azure

The **Aisuru/Kimwolf botnet ecosystem** has reached a **critical disruption milestone** after a **multi-national law enforcement operation** led by the **U.S. Department of Justice (DoJ)**, alongside **Canadian and German authorities**, successfully **dismantled the command-and-control (C2) infrastructure** of four interconnected botnets—**AISURU, Kimwolf, JackSkid, and Mossad**—on **March 20, 2026**. This **court-authorized takedown**, supported by **18+ tech firms** (including Akamai, Cloudflare, Google, AWS, and Oracle), targeted the botnets’ **3 million+ infected devices** (including **2 million+ Android TVs, routers, DVRs, and IoT cameras**), which had been weaponized to launch **record-breaking DDoS attacks** (e.g., **31.4 Tbps in November 2025**) and **hyper-volumetric campaigns** averaging **3 Bpps, 4 Tbps, and 54 Mrps**. The botnets’ **cybercrime-as-a-service model** enabled operators to sell access to compromised devices for **DDoS extortion, residential proxy monetization, and lateral movement in corporate/government networks**, with **hundreds of thousands of attack commands** issued across sectors like **telecom, gaming, IT, and critical infrastructure**. The disruption **severed C2 communications**, aiming to **prevent further infections** and **eliminate the botnets’ ability to launch future attacks**, including those targeting **U.S. Department of Defense (DoD) networks**. Despite this **first major law enforcement strike**, **persistent infections and operator evasion tactics** (e.g., **ENS-based C2, decentralized proxy abuse**) underscore the **ongoing challenge of full eradication**. Prior milestones include the botnets’ **accidental Sybil attack on the I2P anonymity network** (February 2026), their **exploitation of residential proxy networks (IPIDEA)** for internal network infiltration (January 2026), and **Google’s takedown of IPIDEA** (January 29, 2026), which reduced millions of proxy exit nodes. The DoJ’s action follows a **year of escalating hyper-volumetric attacks**, including **Cloudflare’s mitigation of 47.1 million DDoS attacks in 2025** (a **100% YoY increase**) and **Akamai’s reports of attacks exceeding 30 Tbps/14 Bpps**. While the operation marks a **significant blow to the botnets’ operational capacity**, their **adaptive resilience** and **global scale of infections** demand continued vigilance.

Open in new tab