Ottawa Man Arrested for Operating Kimwolf Botnet, Facing Charges in U.S. and Canada

In a significant development in the realm of cybersecurity, Canadian authorities apprehended a 23-year-old man from Ottawa on Wednesday, suspected of constructing and managing Kimwolf, a rapidly proliferating Internet-of-Things (IoT) botnet. This botnet reportedly compromised millions of devices and was implicated in a series of extensive distributed denial-of-service (DDoS) attacks over the past six months. The suspect, identified as Jacob Butler, also known by the alias Dort, faces criminal hacking charges in both Canada and the United States.

Criminal Charges and Legal Proceedings

A criminal complaint unsealed in an Alaska district court outlines the charges against Butler for operating the Kimwolf DDoS botnet. According to a statement from the Department of Justice, the complaint was made public following Butler’s arrest by the Ontario Provincial Police, acting on a U.S. extradition warrant. He is currently in Canadian custody and is scheduled for an initial court hearing early next week.

The Kimwolf botnet reportedly targeted devices that were traditionally secured from external internet access, such as digital photo frames and web cameras. Once compromised, these devices were either rented out to other cybercriminals or coerced into participating in unprecedented DDoS attacks. These assaults notably affected Internet address ranges associated with the Department of Defense (DoD), prompting an investigation by the DoD’s Defense Criminal Investigative Service with support from the FBI’s Anchorage field office.

Scale and Impact of Kimwolf

The Justice Department’s statement highlighted the severity of the DDoS attacks linked to Kimwolf, which reached nearly 30 terabits per second—an unprecedented volume in recorded DDoS attack history. The financial repercussions for some victims exceeded one million dollars, with the botnet allegedly issuing over 25,000 attack commands.

On March 19, U.S. authorities collaborated with international law enforcement to seize the technical infrastructure of Kimwolf, along with three other large DDoS botnets named Aisuru, JackSkid, and Mossad. All four botnets were competing for the same pool of vulnerable devices, amplifying the threat landscape.

Identification and Threats

On February 28, investigative efforts led to the identification of Butler as the Kimwolf botmaster. This was achieved through an analysis of his various email addresses, registrations on cybercrime forums, and posts on public Telegram and Discord servers. Despite being unmasked, Butler continued to threaten and harass researchers who played a role in revealing his identity and curtailing the spread of his botnet.

Butler has been linked to at least two swatting attacks targeting Ben Brundage, the founder of Synthient, a security startup that worked to address a critical vulnerability exploited by Kimwolf. The Justice Department acknowledged several technology companies, including Synthient, for their contributions to the investigation. Brundage expressed relief at Butler’s arrest, hoping it would bring an end to the harassment he faced.

Investigative Findings and Evidence

Investigators connected Butler to the administration of the Kimwolf botnet through various means, including IP addresses, online account details, transaction records, and messaging application data obtained through legal processes. The criminal complaint against Butler reveals that he made minimal efforts to separate his real-life identity from his cybercriminal activities.

In April, the Justice Department, in collaboration with European authorities, executed operations to seize domain names associated with nearly four dozen DDoS-for-hire services. Although a bureaucratic mix-up has kept the list of seized domains sealed, the DOJ confirmed that at least one of these services collaborated with Butler’s Kimwolf botnet.

Arrest and Future Proceedings

The Ontario Provincial Police executed a search warrant at Butler’s residence in Ottawa on March 19, seizing multiple devices. Following this investigation, Butler was charged with unauthorized use of a computer, possession of a device for unauthorized computer access, and mischief related to computer data. He is expected to remain in custody until a hearing on May 26.

In the United States, Butler faces a charge of aiding and abetting computer intrusion. If extradited and convicted, he could face up to ten years in prison. However, the actual sentence may be influenced by factors such as his age, lack of prior criminal history, and cooperation with investigators, as outlined in U.S. Sentencing Guidelines.

The arrest of Jacob Butler marks a pivotal moment in the ongoing battle against cybercrime, particularly in the realm of IoT botnets. As law enforcement agencies continue to enhance their collaborative efforts, the implications of this case extend beyond legal ramifications, highlighting the urgent need for robust cybersecurity measures in an increasingly interconnected world.

Source: krebsonsecurity.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.