A Canadian man has been arrested in connection with the operation of a powerful distributed denial-of-service (DDoS) botnet known as Kimwolf. The US Justice Department announced on Thursday that Jacob Butler, 23, of Ottawa, was taken into custody by Canadian authorities and that the United States is seeking his extradition. Butler, who allegedly used the online alias ‘Dort,’ faces a single count of aiding and abetting computer intrusion. If convicted, he could be sentenced to up to 10 years in federal prison.

The Kimwolf Botnet: An Android-Focused Threat

Kimwolf first drew the attention of cybersecurity researchers and law enforcement agencies in late 2024 as the Android-focused successor to an earlier botnet called Aisuru. Both botnets were designed to harness the processing power of compromised Internet of Things (IoT) devices—particularly Android-based systems—to launch massive DDoS attacks. According to the Justice Department, Kimwolf was capable of enlisting approximately 2 million devices at its peak, making it one of the largest IoT botnets ever disrupted.

The botnet gained notoriety for its sophisticated methods. It abused residential proxy networks to obscure its command-and-control infrastructure, making it difficult for defenders to trace and shut down. By leveraging compromised home routers, set-top boxes, and other connected devices, Kimwolf could generate enormous traffic volumes. In one record-breaking incident, the Aisuru and Kimwolf botnets were linked to a DDoS attack that peaked at 31.4 terabits per second (Tbps)—one of the largest ever recorded.

Investigation and Arrest

The investigation into Kimwolf involved coordinated efforts by the FBI, the US Attorney’s Office for the Central District of California, and international partners including the Royal Canadian Mounted Police and German law enforcement. The DoJ revealed that investigators connected Butler to the botnet through a combination of IP address logs, online account registrations, financial transaction records, and messages obtained from encrypted applications via legal processes.

In March of this year, the Justice Department announced the disruption of several IoT botnets, including Kimwolf and Aisuru. At that time, authorities stated that administrators and infrastructure in Canada and Germany had been targeted, but no arrests were publicly confirmed. Butler’s arrest now appears to be the culmination of those efforts.

Simultaneous Actions Against DDoS-for-Hire Platforms

Alongside Butler’s arrest, the Central District of California unsealed seizure warrants targeting online services that supported 45 DDoS-for-hire platforms. These services, often called “booter” or “stresser” sites, allow paying customers to launch DDoS attacks against any target. The coordinated takedown disrupted many of these platforms, including at least one that had collaborated with Butler’s KimWolf botnet. This action represents a significant blow to the cybercrime ecosystem that enables low-sophistication attackers to cause widespread disruption.

Background on IoT Botnets and DDoS Threats

The rise of IoT botnets like Kimwolf reflects a broader trend in cybercrime. Since the emergence of the Mirai botnet in 2016, attackers have increasingly targeted poorly secured IoT devices. Many home routers, security cameras, and smart appliances ship with default credentials or unpatched vulnerabilities, making them easy prey for automated scanning and exploitation. Once compromised, these devices can be remotely controlled to flood websites, gaming servers, or critical infrastructure with junk traffic.

DDoS attacks have grown in scale and frequency. The 31.4 Tbps attack attributed to Aisuru and Kimwolf dwarfs many earlier records. For context, the 2016 Mirai attack on DNS provider Dyn peaked at around 1.2 Tbps. Modern botnets often combine hundreds of thousands of devices with high-bandwidth connections, allowing them to generate traffic volumes that can overwhelm even large network defenses.

Residential proxy networks play a key role in botnet operations. By routing malicious traffic through thousands of legitimate home IP addresses, attackers can evade IP-based blocking and make their infrastructure appear benign. Kimwolf’s use of such proxies demonstrated a high degree of operational security on the part of its administrators.

Legal and Policy Implications

Butler’s arrest underscores the increasing willingness of law enforcement to pursue botnet operators across international borders. The US has aggressively used extradition treaties to bring cybercriminals to American courts. If extradited, Butler will face a federal justice system that has secured convictions in similar high-profile cases, such as the operators of the Mirai botnet and the Kelihos malware.

The case also highlights the importance of public-private partnerships. Technology companies, researchers, and ISPs often provide critical evidence and technical assistance to law enforcement. For instance, the identification of Butler’s online accounts and transaction records relied on cooperation with messaging platforms and financial institutions.

Cybersecurity experts note that while takedowns are important, they are not a permanent solution. Botnets are often quickly rebuilt by other actors, and the pool of vulnerable IoT devices remains vast. The Kimwolf disruption, combined with the closure of numerous DDoS-for-hire services, may temporarily reduce the overall threat, but defenders must remain vigilant.

The US Justice Department has not commented on whether additional arrests are pending. However, the unsealed seizure warrants and Butler’s capture suggest that investigators have mapped out a broad network of co-conspirators and service providers. Future actions may target individuals who sold access to the botnet or rented its capabilities to third parties.

Source: SecurityWeek News