U.S. and Canadian law enforcement agencies recently arrested and charged a Canadian man suspected of operating the "KimWolf" distributed denial-of-service (DDoS) botnet, which infected nearly two million devices worldwide.

According to the public criminal indictment, 23-year-old Canadian man Jacob Butler, known online as "Dort", was arrested by local law enforcement authorities in Ottawa, Canada on Wednesday on a U.S. extradition warrant. A criminal complaint unsealed by the U.S. Attorney's Office for the District of Alaska on Thursday stated that investigators linked Butler to the operational activities of the "KimWolf" botnet through IP addresses and online account information, related transaction records, and network communication records.

Prosecutors have accused Butler of aiding and abetting computer intrusions and is currently facing a related charge that could result in a maximum sentence of 10 years in prison. He will subsequently be extradited to the United States for trial. According to the case file, "KimWolf" operated as a paid "DDoS proxy" service and was used by cybercriminals to launch high-intensity denial-of-service attacks. Some of the attack traffic once approached 30 terabits per second, making it one of the largest DDoS attacks publicly disclosed at the time.

The investigation revealed that Butler adopted a "cybercrime-as-a-service" model, selling the large-scale "broiler" network he controlled to others on a per-view or subscription basis for use in launching attacks. These controlled devices range from digital photo frames and webcams to Android-based TV boxes and streaming media playback devices.

According to reports, the "KimWolf" botnet has been used to launch more than 25,000 attacks worldwide, targeting various computers and servers, including IP addresses related to the U.S. Department of Defense Information Network (DoDIN). Some victim institutions are alleged to have suffered financial losses of more than $1 million as a result.

Cybersecurity company Synthient has been tracking the expansion of "KimWolf" and released a report in January this year stating that the botnet rapidly expanded to nearly 2 million infected devices after exploiting residential proxy network vulnerabilities to attack Android devices. Researchers also claimed that "KimWolf" can generate approximately 12 million unique IP addresses every week, which is used to hide the true source of attacks and enhance attack resilience.

At the same time, the U.S. Federal Court for the Central District of California also unsealed multiple seizure orders and implemented domain name and infrastructure seizures against 45 platforms that provide DDoS proxy services, affecting a number of platforms that have cooperative relationships with "KimWolf". The U.S. Department of Justice stated that law enforcement agencies have seized domain name records related to these services and redirected access requests to official warning pages to remind the public that DDoS proxy services are illegal.

Butler's arrest is another key development following a transnational law enforcement operation in March this year. In that operation, the United States, Germany, and Canada worked together to seize and cut off the command and control infrastructure of "KimWolf" and three related botnets: "Aisuru," "JackSkid" and "Mossad." These four botnets together infected more than 3 million IoT devices.

The Department of Justice disclosed at the time that a large number of "broilers" of these botnets included webcams, digital video recorders, and Wi-Fi routers, and a considerable number of them were located in the United States. Law enforcement agencies emphasized that they will continue to work with international partners to target and destroy such large-scale malicious infrastructure, and at the same time hold those behind the scenes criminally accountable.