Unmasking the Kimwolf Botnet Operator Public Records and the Investigation into Jacob Butler

The digital landscape of 2026 has been significantly reshaped by the emergence and subsequent exposure of Kimwolf, a botnet that security experts have categorized as the world’s largest and most disruptive to date. While the technical mechanics of the botnet—exploiting vulnerabilities in residential proxy services to compromise internal network devices—have been documented, the human element behind the operation remained shrouded in pseudonymity until recently. A series of investigative efforts, rooted in open-source intelligence (OSINT) and public record analysis, has pointed toward a young man in Ottawa, Canada, operating under the handle “Dort.” This individual is allegedly responsible for not only the coordination of the Kimwolf botnet but also a vicious campaign of retaliation against the researchers who exposed it.

The investigation into Dort intensified following a surge in malicious activity directed at Benjamin Brundage, the founder of the proxy tracking service Synthient, and investigative journalist Brian Krebs. This retaliation was not limited to digital harassment; it escalated into physical danger when a SWAT team was dispatched to Brundage’s residence under false pretenses—a criminal tactic known as “swatting.” This report synthesizes the available public data, digital footprints, and direct statements to provide a comprehensive look at the alleged operator of the Kimwolf infrastructure.

The Evolution of a Cybercriminal: From Minecraft Cheats to Global Botnets

The trajectory of the individual known as Dort appears to follow a pattern frequently observed in modern cybercrime: an early start in the gaming community that eventually pivots toward more predatory and profitable activities. Public records and historical “dox” documents created as early as 2020 identify Dort as a Canadian male born in August 2003. His early digital presence was centered around the Microsoft-owned game Minecraft, where he gained a following for developing “Dortware,” a software suite designed to allow players to cheat.

While Minecraft cheating may seem trivial, the development of such tools requires a foundational understanding of code manipulation and network protocols. By 2017, Dort was using the alias “CPacket” and the email address [email protected] to manage a GitHub account. Data provided by cyber intelligence firm Intel 471 reveals that this same email was utilized between 2015 and 2019 to register accounts on notorious cybercrime forums such as Nulled and Cracked. Crucially, these accounts were linked to an IP address registered to Rogers Canada, specifically located in the Ottawa region.

As Dort’s technical proficiency grew, so did the severity of his alleged crimes. By 2022, the identity “DortDev” was active within the chat servers of LAPSUS$, a high-profile cybercrime syndicate known for breaching major corporations like Nvidia, Samsung, and Microsoft. During this period, Dort began marketing more sophisticated services, including “Dortsolver,” a tool designed to bypass CAPTCHA protections, and a temporary email registration service. These tools are essential for automated account abuse and are frequently used in SIM-swapping and account takeover (ATO) operations.

The LAPSUS$ Connection and Financial Exploitation

The investigation into Dort’s activities in 2022 revealed a partnership with another hacker using the handle “Qoft.” Intelligence indexed by Flashpoint from the Telegram channel “SIM Land” shows that the two collaborated on various illicit ventures. In archived conversations, Qoft claimed that the duo had successfully stolen over $250,000 worth of Microsoft Xbox Game Pass accounts. This was reportedly achieved through a program they developed that mass-created accounts using stolen payment card data, demonstrating a shift from mere software manipulation to direct financial fraud.

The link between the pseudonym Dort and a real-world identity was further solidified through password reuse analysis. Breach tracking services, including Constella Intelligence, found that the password associated with the [email protected] address was used by only one other account: [email protected]. The "803" in the email address aligns with the August 2003 birth date identified in earlier dossiers. Furthermore, DomainTools records show that this email was used in 2015 to register several Minecraft-themed domains, all of which were registered to a Jacob Butler in Ottawa, Canada.

Technical Mechanics of the Kimwolf Botnet

The catalyst for the recent wave of attacks against researchers was the publication of an exposé on the Kimwolf botnet in early January 2026. The research, conducted by Benjamin Brundage, revealed that Kimwolf was not a standard botnet targeting servers or PCs. Instead, it was “stalking” local networks by exploiting a weakness in residential proxy services.

Residential proxies allow users to route their internet traffic through the IP addresses of home users, often to bypass geographic restrictions or for web scraping. However, Brundage discovered that Kimwolf operators could exploit these proxy connections to reach inward, infecting poorly defended IoT devices such as Android-based TV boxes, digital photo frames, and smart appliances that were plugged into the private, internal networks of the proxy endpoints.

This method allowed the botnet to remain largely invisible to traditional enterprise security perimeters, as the traffic appeared to originate from trusted internal devices. When the vulnerability was disclosed and subsequently patched by proxy providers, Kimwolf’s expansion was crippled. This loss of infrastructure appears to be the primary motivation behind the aggressive retaliation campaign launched by Dort.

The Campaign of Harassment and the Swatting Incident

Following the disruption of the Kimwolf botnet, Dort allegedly established a Discord server titled “Krebs’s Koinbase Kallers.” This platform was used to coordinate DDoS attacks, email flooding, and the dissemination of personal information (doxing) belonging to Brundage and Krebs. The rhetoric on the server was overtly violent, with Dort—using the alias “Meow”—posting threats and taunting his targets.

The situation reached a critical point in February 2026, when Dort and his associates planned and executed a swatting attack against Brundage. Swatting involves making a fraudulent emergency call to police—reporting a hostage situation or a violent crime—to provoke a high-stakes response from a SWAT team. Brundage confirmed that local law enforcement arrived at his home in response to such a hoax. Simultaneously, Dort posted a door emoji on the Discord server and released a “diss track” on SoundCloud that specifically mocked the possibility of Brundage being shot by police or losing his front door during a raid.

Official Responses and the Defense of Impersonation

When reached for comment via telephone, Jacob Butler of Ottawa confirmed his identity but denied any recent involvement in cybercrime. Butler acknowledged his past as a creator of Minecraft cheats but claimed to have “walked away from everything” in 2021 after his own home was allegedly swatted. He attributed his current difficulties to his struggle with autism and social interaction, stating that he spends most of his time assisting his mother with household tasks.

Butler’s primary defense is a claim of sophisticated impersonation. He suggested that his old accounts were compromised and that someone has been using his identity and even cloning his voice to frame him. “There must be someone using a voice changer… people were cloning my voice before and sending audio clips of ‘me’ saying outrageous stuff,” Butler told investigators.

However, this defense faces significant evidentiary hurdles. Investigators pointed to a September 2022 recording of a “Clash of Code” competition in which a participant named Dort engaged in a profanity-laced tirade and threatened to swat his opponent. The vocal patterns and idiosyncratic speech in that recording bear a striking resemblance to both the SoundCloud track posted in 2026 and Butler’s own voice during the telephone interview. Furthermore, the timeline of activity—including the 2022 LAPSUS$ associations—contradicts Butler’s claim that he has been offline since 2021.

Analysis of Implications and the Future of IoT Security

The case of Dort and the Kimwolf botnet highlights several critical challenges in the current cybersecurity landscape. First, it underscores the physical danger that researchers face when exposing organized cybercrime. The use of swatting as a retaliatory tool represents a dangerous escalation where digital disputes translate into life-threatening real-world encounters.

Second, the Kimwolf botnet serves as a case study for the inherent risks of the "Internet of Things" (IoT) and the residential proxy market. As more unmanaged devices are connected to home and corporate networks, the attack surface for botmasters continues to expand. The ability to pivot from a proxy connection to an internal network device demonstrates a level of tactical sophistication that requires immediate attention from both device manufacturers and proxy service providers.

Finally, the investigation into Jacob Butler illustrates the power of OSINT in bridging the gap between digital handles and physical identities. Despite the use of aliases and claims of voice cloning, the persistence of digital footprints—email addresses, password reuse, and historical registrations—provides a roadmap for law enforcement and researchers to identify those behind global disruptive events.

As of March 2026, federal authorities have begun a broader disruption of IoT botnets responsible for large-scale DDoS attacks. While Butler maintains his innocence, the mounting evidence linking his historical digital identity to the current operations of the Kimwolf botnet suggests that the anonymity once enjoyed by the operator of the world’s largest botnet is rapidly dissolving. The legal consequences for swatting and the operation of illegal botnet infrastructures are severe, and this case is likely to serve as a landmark in the prosecution of Canadian-based cybercriminals.