In early January 2026, the cybersecurity landscape was jolted by the revelation of Kimwolf, a botnet of unprecedented scale and disruptive capability. Initially identified by security researcher Benjamin Brundage, the founder of the proxy tracking service Synthient, Kimwolf was found to be exploiting a sophisticated but previously overlooked vulnerability in residential proxy services. By compromising poorly defended Internet of Things (IoT) devices—ranging from Android-based TV boxes to digital photo frames—the botnet established a foothold within the internal, private networks of unsuspecting users. This strategic positioning allowed the botmasters to bypass traditional perimeter defenses, effectively "stalking" local networks from the inside.
The subsequent investigation into the command-and-control (C2) structure of Kimwolf led to an individual operating under the pseudonym "Dort." Since the public disclosure of the botnet’s mechanics, Dort has not only maintained control over the infected network but has also launched a sustained campaign of harassment and cyber warfare against the researchers who exposed the operation. This campaign has escalated from Distributed Denial-of-Service (DDoS) attacks and email flooding to the highly dangerous practice of "swatting"—the act of deceiving emergency services into sending a tactical police response to a victim’s residence.
The Retaliation Campaign and the Danger of Swatting
The transition from digital exploitation to physical threats marked a significant escalation in Dort’s tactics. Following the publication of technical reports detailing Kimwolf’s operations, Dort established a dedicated Discord server to coordinate attacks against Benjamin Brundage and investigative journalist Brian Krebs. This server, which cycled through various inflammatory names such as "Krebs’s Koinbase Kallers," became a hub for doxing—the unauthorized release of personal identification records.
The most severe incident occurred in early 2026, when Brundage became the target of a swatting attempt. Members of Dort’s inner circle posted Brundage’s home address alongside violent rhetoric. Shortly thereafter, local law enforcement arrived at Brundage’s home in response to a fraudulent emergency call. The psychological toll of such attacks is immense, designed to silence researchers through the threat of state-sanctioned violence. In a taunting gesture, Dort, using the alias "Meow," posted an image of a door on the Discord server, an apparent reference to the potential for police to breach Brundage’s residence.
Furthermore, a "diss track" uploaded to SoundCloud by an account linked to "DortDev" contained explicit threats. The lyrics specifically referenced the cost of replacing a front door and questioned what it would be like for Brundage to have his "head blown off by SWAT officers." This level of vitriol highlights a growing trend in the cybercrime underground where technical proficiency is coupled with a brazen disregard for human life.
Tracing the Digital Persona: From Minecraft to LAPSUS$
The investigation into Dort’s true identity reveals a classic trajectory in modern cybercrime: the evolution from gaming-related "scripting" to high-stakes criminal enterprise. Publicly available information and "dox" reports dating back to 2020 suggest that Dort is a young man from Canada, born in August 2003. Early in his digital career, he operated under the handles "CPacket" and "M1ce."
Dort first gained notoriety within the Minecraft community. He was the developer of "Dortware," a sophisticated software suite designed to allow players to cheat in the popular sandbox game. While Minecraft cheating might seem trivial, it often serves as a training ground for developing bypasses for anti-cheat software, managing remote connections, and understanding network protocols—skills that are directly transferable to botnet development.
By 2022, the persona of "DortDev" began appearing in more malevolent circles. Records indicate his presence on the chat servers of LAPSUS$, a high-profile cybercrime syndicate known for breaching major corporations like Microsoft, Nvidia, and Okta. During this period, Dort was active on "SIM Land," a Telegram channel dedicated to SIM-swapping—a technique used to hijack mobile phone numbers to bypass multi-factor authentication (MFA) and take over high-value accounts.
On these platforms, Dort advertised specialized services including "Dortsolver," a tool designed to automate the bypassing of CAPTCHA services. This tool was essential for the mass creation of fraudulent accounts. Intelligence reports from the firm Flashpoint indicate that Dort collaborated with another hacker known as "Qoft." Together, they allegedly claimed to have generated over $250,000 by using stolen payment card data to mass-produce Microsoft Xbox Game Pass accounts.
Forensic Links and the Identification of Jacob Butler
The bridge between the "Dort" persona and a physical identity was built through the analysis of digital "crumbs" left across various platforms over a decade. Open-source intelligence (OSINT) tools and breach tracking services played a pivotal role in this process.
- Email and Password Reuse: The email address
[email protected]was linked to the "CPacket" GitHub account and multiple cybercrime forums, including Nulled and Cracked. Cyber intelligence firm Intel 471 tracked these accounts to an IP address assigned to Rogers Canada in the Ottawa region. - The Jacob Butler Connection: Breach tracking service Constella Intelligence discovered that the password used for the
jay.miner232account was identical to one used for[email protected]. The "803" in the email address aligns with the August 2003 birth date identified in earlier doxing reports. - Domain Registration: Records from DomainTools show that the
jacobbutler803email was used in 2015 to register several Minecraft-related domains. These registrations were tied to the name "Jacob Butler" and an Ottawa-based phone number. - Academic Links: Further pivots revealed that the same password was associated with an email address at the Ottawa-Carleton District School Board (
[email protected]), suggesting the user was a student in the local school system.
These data points create a cohesive profile of an individual who grew up in the Ottawa suburbs, starting with Minecraft modifications and eventually graduating to the orchestration of global botnet activity.
Confrontation and the Defense of Impersonation
When reached for comment via telephone, Jacob Butler of Ottawa confirmed his past involvement in the Minecraft cheating scene but denied any recent connection to the "Dort" moniker or the Kimwolf botnet. Butler presented a narrative of a reformed individual who had "walked away from everything" after his own home was allegedly swatted multiple times in 2021.
Butler claimed that he struggles with autism and social interaction, spending most of his time assisting his mother with household tasks. He asserted that his old accounts had been compromised and that an unknown actor was now impersonating him to frame him for current crimes. "Someone is actually probably impersonating me, and now I’m really worried," Butler stated during the interview. "This is making me relive everything."
However, this defense faces significant evidentiary hurdles. Specifically, voice recordings from a September 2022 "Clash of Code" competition—nearly a year after Butler claimed to have retired from the internet—feature a participant named Dort whose voice and speech patterns closely match Butler’s. In that recording, the individual can be heard using extreme profanity and threatening to swat his opponent, echoing the language used in the 2026 threats against Brundage and Krebs. When confronted with this, Butler suggested that his voice had been "cloned" by malicious actors using artificial intelligence to generate fraudulent audio clips.
Broader Implications for Cybersecurity and Law Enforcement
The case of Dort and the Kimwolf botnet underscores several critical challenges in the modern digital age. First, it highlights the vulnerability of the "Internet of Things." As more unmanaged devices are connected to internal networks, they provide a backdoor for attackers to bypass enterprise-grade security. The fact that digital photo frames and TV boxes could be used to build the "world’s largest botnet" is a stark reminder of the need for stricter security standards for consumer electronics.
Second, the use of residential proxies as a cloak for criminal activity remains a significant hurdle for investigators. By routing traffic through the legitimate IP addresses of home users, botmasters can mask their origin and bypass geo-fencing or IP-based blocking.
Third, the psychological warfare of swatting represents a failure of current legal and telecommunications frameworks to protect individuals from targeted harassment. While law enforcement agencies are becoming more adept at identifying hoax calls, the risk of a tragic outcome remains high. The Canadian and U.S. legal systems have begun to treat swatting with increased severity, often resulting in felony charges, yet the anonymity of the internet continues to embolden perpetrators.
As of March 2026, federal authorities have begun a concerted effort to disrupt the IoT botnets behind these large-scale DDoS attacks. While the infrastructure of Kimwolf has been partially dismantled, the persistence of its operator suggests that the battle between security researchers and the "Dort" persona is far from over. The evidence gathered from public records and digital footprints provides a clear roadmap for law enforcement, but the ultimate resolution of the case will depend on the ability to prove, beyond a reasonable doubt, that the person behind the keyboard in Ottawa is indeed the mastermind behind the Kimwolf reign of terror.
