A 23-year-old Canadian man known online as “Dort” has been arrested by Canadian authorities and charged in the United States with administering one of the most destructive distributed denial-of-service (DDoS) botnets ever documented. Jacob Butler, of Ottawa, Ontario, was taken into custody on May 20, 2026, pursuant to an extradition warrant, following months of coordinated international law enforcement action.

A criminal complaint originally filed on April 10, 2026, in the U.S. District of Alaska was unsealed the following day upon Butler’s arrest. The complaint charges Butler with one count of aiding and abetting computer intrusion related to his alleged development and operation of the KimWolf botnet — a DDoS-for-hire service that infected over one million devices worldwide, including devices located within the state of Alaska.

⬛ Case at a Glance

  • Defendant Jacob Butler, aka “Dort,” 23, Ottawa, Canada
  • Arrest Date May 20, 2026 (charges unsealed May 21, 2026)
  • Charges Filed April 10, 2026 — U.S. District of Alaska
  • Charge 1 count: Aiding and abetting computer intrusion
  • Max Sentence Up to 10 years in federal prison
  • Primary Botnet KimWolf (DDoS-for-hire, 1M+ infected devices)
  • Related Botnets Aisuru, JackSkid, Mossad (disrupted March 2026)
  • Peak Attack Volume Nearly 30 Tbps (KimWolf); record-breaking
  • Investigating Agency DCIS Cyber Field Office, FBI Anchorage

The KimWolf Botnet: Targeting “Firewalled” Devices

According to court documents, KimWolf specifically targeted devices that are traditionally isolated from the broader internet — including digital photo frames and web cameras. Once infected, these devices were conscripted into the botnet as “zombie” nodes. The operators then leveraged a cybercrime-as-a-service model, selling access to the enslaved devices to other criminal actors who used them to launch DDoS attacks against servers around the world, including IP addresses belonging to the Department of Defense Information Network (DoDIN).

KimWolf attacks were measured at nearly 30 terabits per second — a record in documented DDoS attack volume at the time. The botnet is alleged to have issued over 25,000 individual attack commands, causing financial losses exceeding one million dollars for some victims.

“KimWolf was a DDoS-for-hire service which infected over a million devices worldwide.” — U.S. Department of Justice, District of Alaska, May 21, 2026

Aisuru and the Broader Botnet Takedown

KimWolf was not the only botnet dismantled in this operation. In March 2026, U.S. authorities — working alongside international law enforcement partners — conducted a court-authorized operation to seize Command and Control (C2) infrastructure used by four major IoT botnets: Aisuru, KimWolf, JackSkid, and Mossad. The Aisuru botnet, which has been separately linked in cybersecurity community reports to a record-breaking DDoS attack on Cloudflare infrastructure in late 2024, was among those disrupted during this coordinated takedown.

It is important to note that the official DOJ complaint charges Butler specifically in connection with KimWolf. Publicly circulating summaries that attribute the Aisuru Cloudflare attack figures (such as 31.4 Tbps and 200 million requests per second) directly to Butler’s charges conflate two separate botnets. The record DDoS volume cited in Butler’s complaint — nearly 30 Tbps — refers to KimWolf activity.

From Minecraft Mods to a Global Botnet

Butler’s online alias “Dort” was reportedly well known within gaming communities, particularly the Minecraft modding scene, where he is said to have developed a cheating client called Dortware associated with the Hypixel server. While this background is widely discussed in cybersecurity forums and community spaces, it does not appear in official DOJ charging documents, and Butler is presumed innocent unless proven guilty in court.

The alleged trajectory — from developing game cheating tools to administering a global IoT botnet responsible for millions of dollars in damages — has drawn significant attention from the cybersecurity industry and law enforcement observers as a case study in how technical skills developed in informal online communities can be redirected toward serious criminal enterprises.

Legal Proceedings and International Cooperation

Butler’s arrest was made possible through extensive international coordination. The Ontario Provincial Police, Sûreté du Québec, Royal Canadian Mounted Police, and Germany’s Bundeskriminalamt (BKA) all participated in the investigation, alongside U.S. agencies including the DCIS Cyber Field Office and the FBI’s Anchorage Field Office.

Simultaneously, the U.S. District Court for the Central District of California unsealed seizure warrants targeting 45 DDoS-for-hire platforms, including at least one that collaborated with KimWolf. Domain names associated with many of these services were redirected to a government warning page informing visitors that DDoS-for-hire services are illegal.

Technology and cybersecurity firms that assisted the investigation include Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Oracle, PayPal, Salesforce Counter-Threat Ops, Sony Interactive Entertainment, and EUROPOL’s PowerOFF team, among others.

Why This Case Matters

The KimWolf case underscores the profound and growing vulnerability of consumer IoT devices — smart cameras, photo frames, set-top boxes, and other internet-connected hardware that frequently ships with weak or default credentials and receives limited security patching. As smart home adoption accelerates, such devices represent an expanding attack surface that criminal actors are actively exploiting.

If convicted, Butler faces up to 10 years in federal prison. A federal district court judge will determine any sentence after consulting U.S. Sentencing Guidelines. Canadian authorities have not released additional details, and the case is expected to yield further technical disclosures as proceedings advance.