Kimwolf Botnet Takedown Reveals IoT Attack Rivalry

Kimwolf botnet infrastructure came down alongside three rival operations in a coordinated international action on March 19. But the arrest of its alleged 23-year-old operator in Ottawa this week forces a more uncomfortable conversation. Jacob Butler, known online as "Dort," now faces criminal hacking charges in both Canada and the United States after a criminal complaint was unsealed in an Alaska district court. The Justice Department alleges Butler built and operated a fast-spreading Internet-of-Things botnet. It enslaved millions of devices. It issued over 25,000 attack commands and launched DDoS assaults measured at nearly 30 Terabits per second. That is a record. Some victims suffered financial losses exceeding one million dollars. The attacks even affected Internet address ranges belonging to the Department of Defense, drawing the Defense Criminal Investigative Service into the investigation alongside the FBI's Anchorage field office. Strip away the headlines and a different pattern emerges: this is not simply a law enforcement success story. It's a case study in how IoT botnet rivalries are reshaping the threat landscape in ways security leaders have not fully internalized. When Botnets Turn on Each Other. What distinguishes the Kimwolf botnet takedown from the long parade of similar operations is the glimpse it provides into a fiercely competitive criminal underground. The Justice Department statement confirms that on March 19, U.S. authorities seized technical infrastructure not only for Kimwolf but for three other large DDoS botnets named Aisuru, JackSkid, and Mossad. These four operations, the government notes, were "all competing for the same pool of vulnerable devices." That single clause rewrites the narrative. These groups were not merely running parallel criminal enterprises. They were racing one another to infect the same digital photo frames, the same web cameras, the same firewalled IoT endpoints sitting unprotected across millions of homes and offices. So the operational tempo of DDoS extortion is driven not just by financial incentive but by competitive pressure. When multiple groups fight over the same attack surface, the pace of exploitation accelerates. Defenders are not facing a single adversary. They're facing an ecosystem where speed of compromise is itself a market differentiator. The 30 Terabit Wake-Up Call. The numbers attached to the Kimwolf botnet case are sobering even by the grim standards of modern DDoS. Nearly 30 Terabits per second. That's the recorded attack volume attributed to this infrastructure, a figure that represents a record in documented DDoS scale and arrives at a moment when enterprises are increasingly dependent on always available cloud services and real-time digital operations. Security teams calibrating their defenses against the last generation of volumetric attacks will find themselves outmatched by botnets capable of this magnitude. The financial impact numbers tell the same story from a different angle: individual victims absorbing losses north of one million dollars, with over 25,000 attack commands issued across the botnet's operational lifespan. Read alongside the competitive dynamics among the four seized botnets, the picture clarifies. The race to compromise IoT devices produced not just more attacks but bigger ones, as each group sought to demonstrate potency to the customers renting their infrastructure. IoT's Endless Attack Surface. The devices at the center of the Kimwolf botnet story are the ones most organizations forget to inventory. The Justice Department specifies that the botnet targeted systems "traditionally firewalled from the rest of the internet, such as digital photo frames and web cameras." These are not exotic targets. They're consumer devices shipped with default credentials, rarely patched, and connected to networks that offer them no meaningful segmentation from critical business systems. Every wave of IoT adoption introduces a fresh tranche of compute power that sits outside conventional endpoint management and becomes available for conscription into botnet armies. Synthient, the security startup whose founder Ben Brundage was targeted by Butler, helped secure a widespread critical security weakness that the Kimwolf botnet was exploiting to spread faster than competing operations. The competitive advantage was tied directly to vulnerability exploitation speed, another dimension of the rivalry that the takedown exposes. The Researcher Becomes the Target. Ben Brundage told KrebsOnSecurity he is relieved Butler is in custody. That line, brief as it is, points to a hardening reality in threat intelligence work. Butler claimed responsibility for at least two swatting attacks against Brundage after the researcher's firm helped slow the botnet's spread. The escalation from digital crime to physical endangerment is not new, but its appearance in a case involving a 23-year-old operator competing in a crowded botnet market suggests the tactic is becoming normalized among actors who see researchers as direct commercial threats. The criminal complaint against Butler shows he did little to separate his real-life identity from his cybercriminal persona, a detail that will interest security teams tracking operational security lapses among threat actors. Why Swatting Matters. Swatting is not a technical attack. It's a weaponization of police response systems, and it represents a boundary transgression that changes how defenders must think about their personal risk exposure. When research into IoT vulnerabilities or botnet infrastructure triggers attempts to send armed officers to a target's home, the calculus for independent security researchers shifts. Organizations that rely on third-party researchers to identify the weaknesses that botnets like Kimwolf exploit will need to consider what support structures are in place when those researchers face retaliatory violence. But that framing misses something. The swatting attacks in this case were not a last resort. They were a response to competitive displacement. Synthient's intervention weakened Kimwolf relative to Aisuru, JackSkid, and Mossad. The harassment was not just rage. It was a business move, designed to deter the disruption of a profitable criminal operation fighting for market share. What Extradition Signals. Butler currently sits in Canadian custody awaiting a hearing on May 26, with a U.S. extradition warrant hanging over the proceedings. The charges in Canada include unauthorized use of a computer, possession of a device to obtain unauthorized use of a computer system, and mischief in relation to computer data. In the United States, he faces one count of aiding and abetting computer intrusion, carrying a maximum sentence of 10 years, though the U.S. Sentencing Guidelines would likely account for his youth, lack of criminal history, and any cooperation with investigators. The extradition dimension matters because it signals a willingness to pursue cross-border IoT botnet operators even when they are young and based in allied nations. The Ontario Provincial Police executed a search warrant at Butler's address on March 19, the same day the infrastructure seizures occurred. That synchronization speaks to a level of operational coordination that law enforcement agencies have struggled to achieve in past botnet takedowns. 29 Terabits per second, 25,000 attack commands, four competing botnets, and a 23-year-old who allegedly did not bother to separate his identities. The Kimwolf botnet case will generate policy briefings and boardroom questions. The answer is not to buy another appliance. It's to accept that the competitive dynamics among criminal groups are now a variable in enterprise risk calculations. The Justice Department confirmed in April that it joined European authorities in seizing domain names tied to nearly four dozen DDoS-for-hire services, at least one of which collaborated with Butler's operation. The supply chain for DDoS capability is being systematically dismantled at the infrastructure level, but the demand side and the vulnerable device pool that feeds it remain structurally intact. Kimwolf, Aisuru, JackSkid, and Mossad: four botnets competing for the same vulnerable IoT devices. Nearly 30 Tbps attack volume: a DDoS record with financial losses exceeding $1 million per victim. Swatting as retaliation: Ben Brundage of Synthient targeted after his firm weakened the botnet's spread. Cross-border prosecution: charges in Canada and the U.S. with an extradition warrant in play. "Hopefully this will end the harassment." Ben Brundage, founder of Synthient. Canadian charges: unauthorized computer use, possession of hacking devices, mischief to computer data. U.S. charge: aiding and abetting computer intrusion, maximum 10 years. The May 26 hearing date in Ontario will be the next test of whether the legal machinery can move as fast as the threat actors it now pursues. For security leaders, the period between now and then is a window to ask whether their IoT exposure inventory reflects the reality that four rival botnets were fighting over the same unmanaged devices in their networks. The takedown of the Kimwolf botnet is not the end of that fight. It's a single round in a longer contest where the attackers are competing harder than the defenders.

Four botnets, one device pool: How Kimwolf botnet takedown exposes criminal competition

The Kimwolf botnet takedown reveals a crowded market. Four groups fought for the same vulnerable IoT devices. This competition drove record-breaking attacks. Security teams must adapt to this new reality.

Swatting as a business tactic: The Kimwolf botnet case shows researchers at risk

Swatting attacks against Synthient's founder were not just revenge. They were a calculated move to protect market share. The Kimwolf botnet operator saw researchers as direct threats to his criminal enterprise.

FAQ: What the Kimwolf botnet takedown means for IoT security

What is the Kimwolf botnet?

The Kimwolf botnet is an IoT botnet that enslaved millions of devices to launch massive DDoS attacks, reaching nearly 30 Tbps. It was taken down in March 2024 alongside three rival botnets.

Who was behind the Kimwolf botnet?

Jacob Butler, a 23-year-old Canadian known as "Dort," is charged with operating the Kimwolf botnet. He faces charges in both Canada and the United States.

Why is the Kimwolf botnet takedown significant?

It reveals fierce competition among four botnets for the same vulnerable IoT devices, driving record attack volumes and highlighting the need for better IoT security.