The 23 Year Old From Ottawa Behind the Largest DDoS Attack in History—30 Terabits a Second From a Botnet of Digital Photo Frames and Webcams—Just Got Arrested After Krebs Named Him in February

Key Takeaways

• Jacob Butler, 23, of Ottawa was arrested by Ontario Provincial Police on May 21, 2026 and identified as "Dort," operator of the Kimwolf botnet.
• Kimwolf sustained DDoS attacks measuring nearly 30 terabits per second at peak—the largest publicly reported volumetric attack on record—issued through more than 25,000 attack commands over the botnet's lifetime.
• The botnet was assembled mostly from unmanaged consumer IoT devices: digital photo frames, webcams, and similar internet connected appliances with rarely updated firmware.
• The FBI Anchorage office and Defense Criminal Investigative Service jointly seized Kimwolf's infrastructure on March 19, 2026 along with three competing botnets—Aisuru, JackSkid, and Mossad.
• Butler faces one U.S. count of aiding and abetting computer intrusion (10 year maximum) plus three Canadian charges; some named victims reported losses exceeding one million dollars apiece.

What Is Kimwolf?

Kimwolf is the largest of the post Mirai era IoT botnets. It compromised a population of small internet connected consumer devices—digital photo frames, smart webcams, baby monitors, and a long tail of similar appliances—using the same playbook the original Mirai botnet used in 2016: scan the public internet, find devices with default or weak credentials, push a small payload, and add the device to a command pool.

The advance over Mirai is mostly scale. Where Mirai famously achieved roughly 1.2 Tbps in its 2016 attack on Dyn, Kimwolf reached nearly 30 Tbps at peak. The arithmetic does not require an enormous device count. The kind of devices Kimwolf recruits typically have a thin operating system, almost no monitoring, and frequently saturate the residential upstream bandwidth available to them. A few hundred thousand of those devices, lit up at once, produce a wall of traffic that overwhelms anything short of a tier one DDoS scrubbing provider.

The 25,000 attack commands issued through the lifetime of the botnet were rented out, in the standard "stresser" or "booter" service model, to anyone who could afford a few dollars in cryptocurrency. The customer base ranged from gaming communities knocking opponents offline to extortion gangs warming up reluctant ransom targets.

How Did Krebs Identify Him?

Brian Krebs published "Dort's" real identity on February 28, 2026 in a long form post that aggregated several years of public traces: Telegram and Discord handles reused across forums, an old cryptocurrency exchange registration with a real name and address, a leaked customer list from a hosting reseller, and a sequence of messages on hacking forums that referenced specific high school events tied to a small Ottawa neighborhood.

The reveal was the same kind of patient open source investigation Krebs has used for two decades. None of the individual breadcrumbs were definitive. Stacked together, they pointed to a single 23 year old who had been operating Kimwolf since 2023. Public attribution did not by itself produce the arrest, but it created the body of evidence that the OPP and FBI used to obtain warrants two months later.

The pattern—public identification first, formal action months later—is the dominant arc for botnet takedowns now. The alleged Scattered Spider leader's guilty plea in April followed the same shape, as did several of the more recent stresser service takedowns.

What Did the Takedown Cover?

On March 19, 2026—roughly three weeks after the Krebs piece—the FBI Anchorage office and the Defense Criminal Investigative Service executed a coordinated infrastructure seizure that took offline four DDoS for hire operations simultaneously: Kimwolf, Aisuru, JackSkid, and Mossad. The simultaneous strike denied the operators an obvious migration path to a competitor, which has historically been one of the chief escape hatches after a single botnet seizure.

Investigators identified Butler through cross reference of seized infrastructure with IP addresses, online accounts, transaction records, and messaging application data. The arrest two months later was, in practice, a formality. The U.S. indictment names a single count of aiding and abetting computer intrusion, which carries a maximum 10 year sentence; the Canadian charges add unauthorized computer use, possession of device for unauthorized access, and computer mischief.

A separate set of charges relates to harassment. Butler allegedly directed swatting attacks against journalists and security researchers who reported on Kimwolf, including Ben Brundage, the founder of Synthient, a security firm that had been publishing data on the botnet's command and control servers. The named victims of swatting and harassment will form a parallel track of the prosecution.

Why Should Anyone Outside the Security Industry Care?

Two reasons. The first is that the devices Kimwolf recruited are unremarkable consumer appliances. A digital photo frame in a relative's living room or a webcam clipped to a child's bedroom door looks like nothing. From the botnet's perspective, the device is a network node with a fast residential upstream and no one to notice if it spends its idle minutes flooding a third party server with traffic.

Cleaning these devices is hard. They typically receive firmware updates rarely, if ever. The manufacturers, in many cases, no longer exist. The router they sit behind has no easy way to flag an outbound traffic burst as suspicious. The only effective preventative actions are at purchase—choosing vendors with a documented update policy—or at network configuration, by isolating IoT devices on a separate VLAN with restrictive egress rules.

The second reason is collateral damage. The 30 Tbps Kimwolf attacks did not stay on the targeted victim. They saturated upstream providers and frequently degraded service for unrelated customers sharing the same network paths. Some of the named victims in the indictment include small businesses that were not the intended target—they were on the same hosting platform as the actual victim, and the volume of the attack took out the entire neighborhood. Losses on those collateral victims, in several cases, exceeded $1 million each.

What Happens Next?

Butler is in Canadian custody pending U.S. extradition proceedings. The Canadian charges will be addressed first, on Canadian timelines; the U.S. case is likely to follow, with the Anchorage indictment specifying a forum in Alaska on jurisdictional grounds related to the location of certain attack targets.

For the broader DDoS for hire economy, the simultaneous March takedown of Kimwolf, Aisuru, JackSkid, and Mossad has temporarily depressed the available attack capacity on the open market. Successor services are already advertising, but the typical lifecycle of a new stresser brand—reputation building, customer migration, peak operation, takedown—is measured in months, not years, and the gap created by the May arrest is unlikely to last long.

The wider takeaway is the same one the Mirai indictments produced a decade ago: catching the operators is possible, but the device population that fed the botnet is still out there. Until consumer IoT firmware ships with a meaningful update story, the next operator inherits the same labor pool of vulnerable devices that Butler did.