Overview
The U.S. Department of Justice has unsealed charges against Jacob Butler, a Canadian national accused of building and operating the KimWolf distributed denial-of-service (DDoS) botnet. Court documents allege Butler ran KimWolf as a DDoS-for-hire service that infected over one million devices worldwide, enabling paying customers to direct large-scale volumetric attacks against any target.
The charges were unsealed on May 22, 2026, following Butler's arrest in Canada. The dual prosecution — filed in both the United States and Canada — reflects the international scope of KimWolf's attack campaigns and victims.
KimWolf Botnet Overview
KimWolf was an IoT-based botnet that spread across internet-connected devices including home routers, IP cameras, and network-attached storage systems. Once infected, devices were recruited into a command-and-control (C2) infrastructure and made available for DDoS attack execution.
| Attribute | Detail |
|---|---|
| Botnet name | KimWolf |
| Alleged operator | Jacob Butler (Canadian national) |
| Infected devices | 1 million+ |
| Device types | Home routers, IP cameras, NAS, embedded IoT |
| Service model | DDoS-for-hire (booter/stresser) |
| Charges filed | United States and Canada |
The Charges
According to court documents unsealed by the Justice Department:
- Butler built the KimWolf botnet by exploiting vulnerabilities in consumer IoT devices
- He operated it as a commercial service, accepting payment from clients to direct DDoS attacks against targets of their choice
- The botnet was used to conduct large-scale volumetric attacks that overwhelmed the bandwidth and network capacity of targeted organizations
- Victims included entities in both the United States and Canada, justifying dual-jurisdiction prosecution
The specific criminal counts and maximum penalties were not fully disclosed in initial reporting, but DDoS-for-hire prosecutions in recent years have resulted in sentences ranging from probation for cooperation cases to multi-year custodial sentences for uncooperative defendants.
How KimWolf Operated
KimWolf followed the classic IoT botnet operational model:
Device Recruitment
1. Automated scanning identifies vulnerable IoT devices
(default credentials, known CVEs in consumer firmware)
2. Exploit or brute-force gains access to the device
3. Malware payload is downloaded and executed on the device
4. Device connects to KimWolf C2 infrastructure and awaits commands
5. Device remains compromised until rebooted or firmware is updated
(many IoT devices are never rebooted by owners)Attack-as-a-Service Model
KimWolf operated similarly to other DDoS-for-hire "booter" or "stresser" services:
- Customers registered on a web panel or dark web storefront
- Purchased attack credits or subscriptions
- Specified target IP/domain, attack duration, and attack type
- KimWolf infrastructure directed infected devices to flood the target
Jacob Butler and KimWolf: Investigation Background
The investigation into Butler and KimWolf is consistent with how law enforcement has successfully prosecuted IoT botnet operators in recent years:
Operational security failures typically lead to identification through:
- Cryptocurrency transaction tracing linking payments to real-world identity
- Infrastructure registration records (domain registrations, server leases)
- Forum activity on hacking communities where KimWolf was marketed
- Device forensics from seized C2 servers revealing operator metadata
International coordination — the joint US/Canada prosecution required extensive information sharing between the FBI, RCMP (Royal Canadian Mounted Police), and likely Europol and partner agencies, given KimWolf's global reach.
KimWolf in the Broader Threat Landscape
KimWolf was previously associated with attacks that disrupted the I2P privacy network, knocking the anonymous overlay network offline for extended periods. This connection to attacks on privacy infrastructure highlighted KimWolf's operational capabilities and attack volume.
The botnet's scale — over one million infected devices — placed it among the larger IoT botnets tracked by researchers in 2025–2026, comparable in size to variants of Mirai-derived botnets.
IoT Security Implications
Butler's arrest underscores the continued exploitation of unpatched and default-credential IoT devices as botnet recruitment targets:
| Vulnerability Factor | Description |
|---|---|
| Default credentials | Millions of IoT devices ship with unchanged factory passwords |
| No security updates | Many consumer IoT devices receive no patches after purchase |
| 24/7 connectivity | Always-online devices provide persistent infrastructure for operators |
| User unawareness | Owners rarely detect when devices are participating in attacks |
| Massive global scale | Billions of vulnerable devices represent nearly unlimited recruitment |
Actions for Defenders and Device Owners
For IoT device owners:
- Change default credentials immediately on all routers, cameras, and NAS devices
- Apply available firmware updates — this closes the vulnerabilities KimWolf used for recruitment
- Reboot IoT devices — many IoT botnet infections are not persistent and are cleared by a reboot
- Consider placing IoT devices on a separate network VLAN isolated from critical systems
For organizations targeted by KimWolf:
- Review incident logs from the KimWolf operational period for attack traffic patterns
- Contact the FBI's Internet Crime Complaint Center (IC3) if you have documented KimWolf DDoS attacks
- Ensure DDoS mitigation services are engaged to protect against successor botnets
Sources
- The Record — Canadian man arrested, charged for running KimWolf DDoS botnet