A cybersecurity investigation has identified the individual believed to be behind Kimwolf, currently described as the world’s largest and most disruptive botnet, as Jacob Butler, a young man from Ottawa, Canada.
The trail begins with a public doxing document from 2020 that identified the botnet’s operator — known online as “Dort” — as a teenager born in August 2003 who operated under the aliases “CPacket” and “M1ce.” That document has since been corroborated by a chain of digital evidence connecting multiple accounts, email addresses, and registered domains to a single individual in Ottawa.
A GitHub account created in 2017 under the names Dort and CPacket was registered using the email address jay.miner232@gmail.com. Cyber intelligence firm Intel 471 links that same address to accounts on criminal forums Nulled and Cracked, both created from an IP address traced to Rogers Canada. The breach tracking service Constella Intelligence found that the password associated with jay.miner232@gmail.com was reused by only one other email address: jacobbutler803@gmail.com.
That second address provides the clearest link to a real identity. Records indexed by DomainTools show it was used in 2015 to register several Minecraft-themed domains, all attributed to a Jacob Butler in Ottawa, with a local phone number. The same address registered an account on Nulled in 2016 and the Minecraft username “M1CE.” A further password pivot from that Nulled account connects to jbutl3@ocdsb.ca, a domain belonging to the Ottawa-Carleton District School Board.
Dort’s early notoriety came from Minecraft. The handle became recognized in that community for “Dortware,” software used to cheat in the game. The progression from gaming exploits to more serious criminal activity appears to have occurred gradually. By 2022, the identity DortDev was active within the chat infrastructure of LAPSUS$, the prolific cybercrime group responsible for breaches at major technology companies.
Around the same time, Dort was advertising two services on SIM Land, a Telegram channel focused on SIM-swapping and account takeover schemes: a disposable email registration tool and “Dortsolver,” software capable of bypassing CAPTCHA systems. Flashpoint, a second cyber intelligence firm, indexed posts showing Dort developed these tools alongside a collaborator using the handle “Qoft.”
More Read
In one archived exchange, Qoft referred to their exclusive business partner simply as “Jacob.” The same messages include a claim that the two had stolen more than $250,000 worth of Microsoft Xbox Game Pass accounts by mass-creating subscriptions using stolen payment card data. The GitHub account “MemeClient” — connected to jacobbutler803@gmail.com — was publicly identified in a 2017 Pastebin post as a project by CPacket, one of Dort’s earliest known usernames.
Since a January 2026 article exposed the vulnerability Dort exploited to build the Kimwolf botnet, the operator has responded with a sustained campaign against the security researcher who discovered that flaw and the journalist who reported on it. That campaign has included DDoS attacks, doxing, email flooding, and most seriously, a swatting incident in which a SWAT team was dispatched to the researcher’s home.
Data from Spycloud suggests Jacob Butler at one point shared a computer with a parent and a sibling, with multiple household email accounts linked to the same password. None of the individuals in the Butler household responded to requests for comment.
Photo by Mufid Majnun on Unsplash
Source: Original reporting
