The 23-year-old Ottawa hacker who built Kimwolf botnet controlling millions of devices finally arrested after targeting Brian Krebs

A 23-year-old Ottawa man suspected of building and operating Kimwolf—a fast-spreading botnet that enslaved millions of internet-connected devices—was arrested Wednesday on criminal hacking charges in both Canada and the United States.

The arrest marks the end of a six-month campaign of distributed denial-of-service attacks, doxing, and swatting operations that targeted security journalists, including Brian Krebs of KrebsOnSecurity. The suspect, identified online as “Dort,” was publicly named by Krebs in February 2026 after launching coordinated attacks against the journalist and a security researcher. That public exposure appears to have accelerated law enforcement action across both countries.

Kimwolf represents a particular class of threat that has grown more dangerous over the past five years: IoT botnets that weaponize consumer devices at massive scale. Unlike traditional malware that targets computers or phones, Kimwolf infected routers, cameras, smart home devices, and other connected hardware—devices most people never think to monitor or patch. Research on IoT botnet lifecycles shows these networks can accumulate millions of enslaved devices that can be remotely activated to flood targets with traffic, rendering websites and services unreachable.

The arrest underscores a critical vulnerability in how the internet is built. Most IoT devices ship with weak default credentials, infrequent security updates, and minimal monitoring. Once a device is compromised, the owner typically has no way to know it’s been weaponized. The device continues to function normally while silently participating in attacks on targets chosen by the botmaster. Homeowners and small businesses running these devices become unwitting participants in crimes they have no awareness of.

Why Did This Botnet Target Individual Journalists?

What distinguishes this case from routine botnet takedowns is the targeted harassment campaign. Rather than simply monetizing the botnet through rental or ransom, the suspect allegedly used it to conduct personal vendettas against specific journalists and researchers. This represents a shift in how botnets are weaponized—not merely as infrastructure for hire, but as tools for intimidation and silencing of security professionals who expose vulnerabilities.

The pattern echoes a darker chapter in digital manipulation: the weaponization of distributed networks to target individuals based on their behavior and public statements. During the Cambridge Analytica era, data brokers harvested psychographic profiles of millions to micro-target political messaging. Here, a botmaster weaponized millions of IoT devices to micro-target individual journalists—different tools, same underlying principle of using scale and automation to suppress specific voices. In both cases, the infrastructure is built on the backs of ordinary people whose devices or data are conscripted without consent.

Canadian authorities have not yet disclosed technical details about how Kimwolf spread or what specific vulnerabilities it exploited. The U.S. charges remain under seal, limiting public understanding of the full scope of the investigation. What is clear is that the suspect operated across borders, requiring coordination between Canadian law enforcement and U.S. authorities—a sign that both countries treated the case as a priority.

Are IoT Manufacturers Accountable for Insecure Devices?

The arrest raises immediate questions about accountability for IoT manufacturers. Devices that can be remotely enslaved into botnets represent a systemic failure of security by design. Millions of routers, cameras, and smart devices remain in homes and offices with default passwords, no automatic updates, and no monitoring for unusual traffic patterns. Until manufacturers are held liable for shipping insecure devices, or until consumers demand better security at purchase, botnets like Kimwolf will continue to find abundant targets.

For users with IoT devices at home, the arrest offers a sobering reminder: your router, your smart TV, your security camera could be part of a botnet right now and you would have no way to know. This reality reflects broader surveillance vulnerabilities where personal devices become tools for activities their owners never consented to. Changing default passwords on all connected devices, enabling automatic updates where available, and periodically checking for unusual network activity remain the only practical defenses available to most consumers.

What Does This Mean for Security Researchers?

The case also highlights the personal risk faced by security researchers who publicly identify threats. Krebs and his colleagues operate in a space where exposing attackers can invite retaliation. The arrest of Dort suggests that law enforcement is taking these targeted campaigns seriously, but the six-month timeline between public naming and arrest underscores how long it can take to move from identification to prosecution.

The weaponization of consumer devices for personal vendettas represents a troubling evolution in how digital infrastructure can be turned against individuals. Academic research on DDoS defense mechanisms shows that traditional protections often fail against large-scale IoT botnets because the attack traffic appears to come from legitimate consumer devices rather than obvious malicious sources.

As the U.S. charges are unsealed in coming weeks, more details about Kimwolf’s scope and the suspect’s methods will likely emerge. The case will become a test of how aggressively both countries prosecute botnet operators who cross the line from financial crime into targeted harassment. The intersection of weaponized digital infrastructure and personal intimidation suggests that future prosecutions may need to address not just the technical crimes, but the broader pattern of using distributed networks to silence critics and researchers.