The US Department of Justice announced the arrest of 23-year-old Canadian citizen Jacob Butler (alias Dort) from Ottawa on charges of developing and operating the Kimwolf DDoS botnet. The botnet, a variant of AISURU, infected IoT devices — digital photo frames and webcams — and was used to sell access to them under a “cybercrime-as-a-service” model. Among the attack targets were IP addresses belonging to the US Department of Defense Information Network (DoDIN), and peak DDoS traffic reached 31.4 Tbps. Butler has been charged with aiding and abetting unauthorized access to computer systems and faces up to 10 years in prison.
Botnet mechanics and monetization model
Kimwolf specifically exploited devices that had traditionally been considered protected from direct internet access by firewalls: digital photo frames and webcams. Once infected, these devices were added to the botnet, after which the operators sold access to them to other cybercriminals. This “cybercrime-as-a-service” model allowed customers to direct the compromised devices to carry out DDoS attacks against targets around the world.
According to the Department of Justice, during its operation Kimwolf issued more than 25,000 attack commands. Before its infrastructure was dismantled, the AISURU/Kimwolf botnets were associated with record-breaking DDoS attacks that generated junk traffic peaking at 31.4 Tbps. For context: such a volume of traffic can overwhelm virtually any unprotected infrastructure and puts serious strain even on the largest DDoS protection providers.
Among the indicators of compromise associated with the operation is the domain resi[.]to, which, according to court documents, was used to coordinate botnet activity via Discord.
Attribution and evidentiary basis
Butler’s connection to administering Kimwolf was established based on IP addresses, online account data, and Discord message logs posted by an account associated with resi[.]to. It should be emphasized that the charges remain allegations until a court reaches a verdict — the attribution is based on materials from a criminal case that has not yet been adjudicated on the merits.
The arrest is a logical continuation of an operation carried out two months earlier, when authorities in the US, Canada, and Germany took down command-and-control (C2) infrastructure associated with the Kimwolf, AISURU, JackSkid, and Mossad botnets. That operation was authorized by a court.
Large-scale takedown of DDoS infrastructure
In parallel with Butler’s arrest, authorities unsealed seizure warrants for online services that supported 45 DDoS-for-hire platforms. Law enforcement agencies were thereby empowered to dismantle these platforms. One of the platforms taken down reportedly worked directly with Kimwolf.
The simultaneous takedown of 45 platforms is a significant blow to the DDoS-for-hire ecosystem. Such platforms lower the barrier to entry for launching attacks: a customer does not need technical expertise, only the ability to pay for a subscription and specify a target. Destroying the infrastructure alongside arresting the botnet operator is a combined approach aimed at disrupting both supply and demand in this segment of cybercrime.
Impact assessment
Kimwolf’s attacks affected a wide range of targets, but the most alarming aspect is the targeting of IP addresses belonging to the US Department of Defense Information Network. This elevates the botnet’s activity from routine cybercrime into the realm of national security threats. Owners of IoT devices — digital photo frames, webcams, and similar equipment — became unwitting participants in the attacks, as their devices were used without their knowledge.
The attack capacity of 31.4 Tbps indicates the scale of the compromised infrastructure: generating such a volume of traffic requires tens or hundreds of thousands of infected devices.
Recommendations
- For IoT device owners: check the firmware of digital photo frames, IP cameras, and other connected devices. Update to the latest versions, change default passwords, and disable UPnP and direct internet access.
- For network administrators: audit outbound traffic from IoT segments for abnormal volumes or connections to unknown C2 servers. Isolate IoT devices in separate VLANs with restricted access.
- For infrastructure operators: check DNS logs for connections to the resi[.]to domain — this may indicate compromised devices on your network.
- For organizations using DDoS protection: make sure your solutions can handle attacks exceeding 30 Tbps and test your DDoS incident response plans.
Butler’s arrest and the simultaneous dismantling of 45 DDoS-for-hire platforms demonstrate a shift in law enforcement strategy: instead of isolated actions, a comprehensive approach is being used to break the entire chain — from the botnet operator to the end services selling attacks. For IoT device owners, the key step now is to inventory all connected equipment, update firmware, and ensure that devices are not directly accessible from the internet, since such devices formed the backbone of Kimwolf.
