Ottawa man charged over Kimwolf DDoS botnet

Jacob Butler, 23, of Ottawa, was arrested and charged Thursday by the U.S. Department of Justice with operating the Kimwolf distributed denial-of-service botnet. He faces a single federal count of aiding and abetting computer intrusion and a maximum sentence of 10 years in prison.

The Justice Department described Kimwolf as a variant of the AISURU malware family used in a DDoS-for-hire network. Court documents say the botnet issued more than 25,000 attack commands and produced traffic that peaked at 31.4 terabits per second.

According to court filings, Kimwolf infected internet-connected devices often “firewalled” from the public internet, such as digital photo frames and web cameras. “The infected devices were enslaved by the botnet operators,” the department added. Operators sold access to the compromised devices so customers could hire the botnet to overwhelm victim systems.

U.S. authorities linked Butler to administration of the Kimwolf infrastructure through IP address logs, online account records and Discord message records associated with an account using the handle resi[.]to. Butler has told investigators he had not used the Dort persona since 2021 and suggested an impersonator may have taken over his old account.

The charges follow a coordinated, court-authorized operation roughly two months earlier, conducted with partners in Canada and Germany, that disrupted command-and-control servers tied to Kimwolf and related botnets identified as AISURU, JackSkid and Mossad. Seizure warrants unsealed as part of that operation targeted online services that supported 45 DDoS-for-hire platforms; one of those platforms is reported to have worked with Kimwolf.

Prosecutors highlighted the commercial nature and global reach of the campaigns, saying attacks were traced to computers and servers worldwide, including IP addresses on the Department of Defense Information Network.