**Jacob Butler**, a 23-year-old also known as "Dort," was arrested in Ottawa on Wednesday based on an extradition warrant. The arrest follows an investigation that linked Butler to the **KimWolf** botnet through IP addresses, online account information, transaction records, and online messaging records. ### Charges and Potential Penalties Butler awaits extradition to the U.S. and faces one count of aiding and abetting computer intrusions, carrying a maximum sentence of 10 years in prison. Court documents detail how **KimWolf** functioned as a DDoS-for-hire service, enabling cybercriminals to launch attacks reaching nearly 30 terabits per second. At the time this was the largest DDoS attack publicly disclosed. ### KimWolf's Modus Operandi Operating on a cybercrime-as-a-service model, Butler allegedly sold access to a vast network of compromised systems, including digital photo frames, web cameras, Android-based TV boxes, and streaming devices. This botnet was implicated in over 25,000 attacks targeting computers and servers worldwide, including those within the Department of Defense Information Network, causing financial losses exceeding $1 million for some victims. ### Botnet Growth and Impact  *Kimwolf infections heatmap (**Synthient**)* Researchers at **Synthient** have been closely monitoring **KimWolf**'s expansion, noting in January that it grew to almost 2 million devices by compromising Android devices through vulnerabilities in residential proxy networks. The botnet reportedly generated approximately 12 million unique IP addresses each week. ### Crackdown on DDoS-for-Hire Platforms In a parallel operation, the Central District of California unsealed seizure warrants targeting 45 DDoS-for-hire platforms, disrupting multiple services, including at least one that collaborated with the **KimWolf** botnet. According to the Justice Department, domain records associated with these services were seized and redirected to a warning page stating the illegality of DDoS services. ### International Collaboration Butler's arrest is a result of a March 2026 international operation involving U.S., German, and Canadian authorities. This operation led to the seizure of command-and-control infrastructure used by **KimWolf** and three related botnets (**Aisuru**, **JackSkid**, and **Mossad**), which collectively infected over 3 million IoT devices. These devices included web cameras, digital video recorders, and Wi-Fi routers, many located within the United States. [](https://hubs.li/Q048zztN0) ## [The Validation Gap: Automated Pentesting Answers One Question. You Need Six.](https://hubs.li/Q048zztN0) Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)