In early January 2026, a significant cybersecurity incident came to light involving the Kimwolf botnet, the world’s largest and most disruptive botnet. The individual controlling this botnet, known by the alias “Dort,” has since orchestrated a series of aggressive attacks, including distributed denial-of-service (DDoS) assaults, doxing, and email flooding against a researcher who initially disclosed a vulnerability that led to the botnet’s creation. This article delves into what is publicly known about Dort, his background, and the implications of his actions.
A public doxing document from 2020 indicates that Dort is a teenager from Canada, born in August 2003, who has operated under various aliases such as “CPacket” and “M1ce.” A search on the open-source intelligence platform OSINT Industries reveals that Dort’s GitHub account, created in 2017, is linked to the email address [email protected]. This email was reportedly active between 2015 and 2019 and was associated with multiple cybercrime forums, including Nulled and Cracked. Intel 471, a cyber intelligence firm, has noted that both accounts were created from the same IP address registered to Rogers Canada.
Dort first garnered attention as a highly active player in the popular game Minecraft, where he developed software known as “Dortware” to assist players in cheating. Over time, his activities escalated from gaming hacks to more serious cybercrimes, including operating under the name DortDev within the chat server of the notorious cybercrime group LAPSUS$. In 2022, Dort promoted services for registering temporary email addresses and created “Dortsolver,” a tool designed to bypass CAPTCHA protections meant to defend against automated account abuse. These services were advertised on SIM Land, a Telegram channel focused on SIM-swapping and account takeover.
Evidence suggests that Dort collaborated with another hacker, known as “Qoft,” to develop these services. In 2022, Qoft mentioned in a conversation that he worked exclusively with Jacob, presumably referring to Jacob Butler, whose email was found to be reused with Dort’s. Butler, identified as a key figure in this network, has been linked to various online accounts, including one on the hacker forum Nulled, and multiple Minecraft-themed domain registrations. His personal information also connects back to the “M1CE” account on Minecraft.
As the Kimwolf botnet began making headlines, Benjamin Brundage, the founder of the proxy tracking service Synthient, uncovered that its operators exploited a little-known vulnerability in residential proxy services, allowing them to infect poorly secured devices like smart TVs and digital photo frames. Following the publication of Brundage’s findings, many vulnerable proxy service providers were alerted and patched their systems, which significantly curtailed Kimwolf’s spread.
In retaliation for the exposure, Dort created a Discord server using the name of the researcher and began disseminating personal information and threats against Brundage and others involved in the investigation. In one instance, a member of this server even threatened a swatting attack against Brundage, which resulted in local police visiting his home. This incident underscores the lengths to which Dort and his associates are willing to go to retaliate against perceived threats.
Following these events, Dort was implicated in a disturbing diss track that was shared within these online circles, which included violent language targeting Brundage. The track features derogatory comments and threats, further illustrating the aggressive nature of Dort’s online persona. As the situation escalated, Jacob Butler, who has distanced himself from Dort’s activities, expressed concern over being impersonated and the potential for swatting attacks against him, a fear that has haunted him since his home was swatted multiple times in the past.
Butler has publicly stated that he has not been active online since 2021, attributing his absence to stress and anxiety following these incidents. He is currently living with his mother and helping around the house, struggling with autism and social interaction. Despite acknowledging his earlier involvement in Minecraft cheating, he has denied any connection to the more recent activities attributed to Dort since 2021.
However, inconsistencies in Butler’s narrative raise questions about his claims. For instance, his voice bears a strong resemblance to that of Dort during a recorded coding competition, where Dort can be heard making similar threatening remarks. Butler maintains that his voice has been cloned by impersonators, complicating the narrative surrounding his involvement.
The Rise of Kimwolf
Since its inception, the Kimwolf botnet has become notorious for its sheer scale and disruptive capabilities. This botnet’s operators have leveraged vulnerabilities within various systems to create a vast network of compromised devices, which can be utilized for malicious activities, including DDoS attacks. The rapid growth of Kimwolf has raised alarms within cybersecurity communities, prompting discussions about the need for enhanced security measures and greater awareness of emerging threats.
Implications for Cybersecurity
The ongoing saga surrounding Dort and the Kimwolf botnet highlights the complex landscape of cybersecurity, where individuals can quickly escalate from minor offenses to significant criminal activities. The case emphasizes the importance of cybersecurity awareness and the need for individuals and organizations to stay vigilant against potential threats. As enforcement and legal responses evolve, it remains crucial to monitor this situation closely as it develops.
Looking ahead, the focus will likely shift toward how law enforcement and cybersecurity firms respond to the threats posed by Dort and others in similar positions. The implications of this case could influence future legislation and security practices aimed at mitigating the risks associated with botnets and cybercrime.
We invite readers to share their thoughts on this evolving story and the broader implications for cybersecurity practices moving forward.
