In early January 2026, security researcher Benjamin Brundage disclosed a critical vulnerability exploited by the Kimwolf botnet, the world's largest and most disruptive botnet at the time. The flaw involved a little-known weakness in residential proxy services that allowed attackers to compromise poorly secured devices connected to private internal networks, such as smart TV boxes and digital photo frames. This vulnerability enabled the botnet to propagate extensively, resulting in widespread distributed denial-of-service (DDoS), doxing, and email flooding attacks.

The individual behind Kimwolf, known by the handle "Dort," has since orchestrated a series of retaliatory attacks against researchers and journalists investigating the botnet, including swatting incidents targeting Benjamin Brundage and Brian Krebs, the founder of KrebsOnSecurity. Publicly available open source intelligence (OSINT) data has been instrumental in profiling Dort and linking several aliases, email accounts, and activities to this actor.

Dort is believed to be Jacob Butler, a Canadian born in August 2003, based on a dox released in 2020 and multiple data points from cyber intelligence firms. Dort has operated under various pseudonyms including "CPacket," "M1ce," and "Dorted," with strong ties to the Canadian internet provider Rogers. Accounts linked to Dort were created on prominent cybercrime forums such as Nulled and Cracked between 2015 and 2019 using the email jay.miner232@gmail.com, which was also connected to gaming cheat software distributed for Minecraft under the name "Dortware."

Dort's criminal activities expanded beyond gaming cheats to include the development and sale of cybercrime tools. In 2022, DortDev — another alias — was active on the chat server of the LAPSUS$ cybercrime group, offering services like temporary email address registration and CAPTCHA bypass software (Dortsolver). These tools facilitated automated account takeovers and were marketed on SIM Land, a Telegram channel known for SIM swapping and account takeover schemes.

Collaboration with another hacker named Qoft led to the creation of programs that fraudulently generated Microsoft Xbox Game Pass accounts using stolen payment card information. Intelligence from Constella and DomainTools linked Dort's real identity to Jacob Butler in Ottawa, Canada, corroborated by domain registrations, email addresses, and passwords reused across multiple platforms including the Ottawa-Carleton District School Board email domain.

Following the public disclosure of the Kimwolf vulnerability by Brundage and KrebsOnSecurity, proxy providers patched the exploited weaknesses, significantly hindering Kimwolf's propagation capabilities. In response, Dort launched harassment campaigns involving doxing, threats, and swatting against the researchers, utilizing Discord servers to disseminate personal information and coordinate attacks.

The Kimwolf botnet case underscores the persistent risk posed by vulnerabilities in proxy services and the lengths threat actors will go to protect their operations. Security teams should ensure that proxy endpoints are hardened against unauthorized access and closely monitor networks for signs of exploitation.

Mitigation and Recommendations

  • Proxy service providers must apply patches addressing the identified vulnerabilities preventing unauthorized access to internal network devices.
  • Organizations using residential or third-party proxies should audit and restrict device access to trusted hardware only.
  • Implement network segmentation to isolate vulnerable IoT devices from critical infrastructure.
  • Employ comprehensive monitoring for unusual outbound traffic indicative of botnet activity.
  • Security analysts should track threat actor infrastructure and aliases associated with Dort and Kimwolf for proactive threat intelligence.

By rapidly addressing the proxy weaknesses and sharing intelligence on the actor behind Kimwolf, defenders can disrupt botnet expansion and reduce the impact of associated cybercrime campaigns.