US and Canadian authorities announced the arrest of 23‑year‑old Ottawa resident Jacob Butler (alias Dort), who is accused of administering the Kimwolf DDoS botnet. According to the US Department of Justice, this platform was used to carry out more than 25,000 attacks worldwide, with peak capacity of individual attacks reaching 31.4 Tbit/s. The botnet operated on a subscription model, providing other attackers with access to compromised devices. Owners of Android set‑top boxes, streaming devices, and IoT equipment should check whether Android Debug Bridge is enabled on their devices.
How Kimwolf Worked
According to the indictment, Kimwolf was a variant of the Aisuru botnet and functioned as a subscription‑based DDoS service — a classic cybercrime-as-a-service model. The operators rented out the botnet’s capacity to other hackers, who used it to conduct distributed denial‑of‑service attacks.
The primary infection vector was Android‑based devices with an exposed Android Debug Bridge (ADB) interface. According to the charges, the compromised devices included:
- Android set‑top boxes and streaming devices
- Webcams and IP cameras
- Digital photo frames
- Routers and digital video recorders (DVRs)
- Other IoT equipment
A distinctive feature was that a significant portion of infected devices were located behind NAT and were not directly accessible from the internet, which made them harder to detect and clean. The court filings also mention the resi[.]to account, which is presumably linked to residential proxy infrastructure.
Scale and Targets of the Attacks
According to the US Department of Justice, the botnet was used to carry out more than 25,000 attacks worldwide. Among the targets were IP addresses in the DoDIN network, associated with US Department of Defense infrastructure. The prosecution claims that some victim organizations suffered losses exceeding one million dollars.
The stated peak capacity of 31.4 Tbit/s — if this figure is confirmed — would place Kimwolf’s attacks among the most powerful DDoS incidents ever recorded. For comparison, the largest publicly documented attacks in recent years have been measured in single‑digit terabits per second. However, this estimate comes solely from the prosecution and has not yet been corroborated by independent telemetry.
Investigation and Arrest
Investigators identified the suspect using a combination of IP addresses, online account data, transaction history, and Discord communications. Butler was arrested in Ottawa at the request of US authorities. He has been charged with aiding and abetting computer attacks, an offense punishable by up to 10 years in prison. It should be emphasized that at this stage all charges are allegations by the prosecution and have not been proven in court.
The arrest took place roughly two months after a joint international operation by law enforcement agencies in the US, Canada, and Germany, during which the command‑and‑control infrastructure of four botnets — Aisuru, Kimwolf, JackSkid, and Mossad — was taken offline. According to authorities, these botnets collectively infected more than 3 million IoT devices.
At the same time as the arrest, a court in California authorized the seizure of domains belonging to 45 DDoS‑for‑hire services. According to investigators, at least one of these platforms cooperated with Kimwolf. Some of the confiscated domains now display a warning about the illegality of DDoS attacks.
Protection Recommendations
Given that Kimwolf’s primary infection vector was an exposed Android Debug Bridge, owners of Android devices and IoT equipment are advised to:
- Disable ADB on all devices where debugging is not actively used. On Android set‑top boxes and streaming devices, ADB often remains enabled by default.
- Check network exposure — make sure port 5555 (the default for ADB over the network) is not open on devices in the local network. The command
nmap -p 5555 192.168.0.0/24will help identify vulnerable devices. - Update firmware on IoT devices to the latest versions. Cheap Android set‑top boxes from lesser‑known manufacturers often do not receive security updates; such devices should be isolated in a separate network segment or replaced.
- Configure network segmentation — place IoT devices in a separate VLAN with limited access to the internet and other segments.
- Monitor anomalous outbound traffic — a sharp increase in outbound packets from IoT devices may indicate their participation in a botnet.
The Kimwolf case clearly demonstrates how low‑cost Android devices with an unsecured debugging interface become building blocks for record‑breaking botnets. Disabling ADB and isolating IoT equipment on the network are basic measures that significantly reduce the risk of your devices being absorbed into such infrastructure. Organizations that use Android set‑top boxes or IP cameras in a corporate environment should prioritize an audit of these devices.
