The U.S. Department of Justice has announced the arrest in Canada of Jacob Butler, a 23-year-old man identified in the cybercrime environment by the alias Dort, and to whom it attributes the operation of the Kimwolf botnet. Washington has already requested his extradition and charges him with one count of conspiracy to commit computer intrusion, punishable by up to 10 years in prison.
The case revolves around an infrastructure that came to involve nearly two million devices and which, according to the prosecution, used residential proxy networks to spread. The paradox of the case is that a single criminal charge is based on a large-scale distributed network that the U.S. government itself places behind denial-of-service operations with a scope far greater than that of a conventional attack.
Kimwolf reached almost two million devices
U.S. authorities place Kimwolf among the internet of things botnets used for distributed denial-of-service attacks. In March, the Department of Justice announced the dismantling of several of these structures and identified Kimwolf as the successor to Aisuru, with a specific focus on Android.
Both networks were also linked to a distributed denial-of-service attack that peaked at 31.4 Tbps. This figure places Kimwolf and Aisuru on a scale of impact far greater than that of campaigns limited to a few thousand compromised devices.
The investigation maintains that the botnet expanded through residential proxy networks. This system allowed traffic to be channeled through domestic connections and increased the operational capacity of an infrastructure that, always according to the prosecution, approached two million devices.
U.S. supported the accusation with IPs, accounts, and messages
Butler's connection to the infrastructure, according to the Department of Justice, was established through IP addresses, online account information, transaction records, and messaging application logs obtained through legal process. The detainee was arrested in Canada and now faces the formal extradition request submitted by the U.S.
The accusation is specified as one count of conspiracy to commit computer intrusion, a crime that could carry a maximum sentence of 10 years in prison. For now, Butler is under investigation as part of a procedure that still must go through the handover process between the two countries.
Along with the arrest, the Central District of California made public seizure orders targeting online services that supported 45 platforms for denial-of-service attacks for hire. The measure, according to the Department of Justice, largely disrupted the activity of these platforms.
"In addition to Butler's arrest, the Central District of California made public seizure orders targeting online services that support 45 platforms for denial-of-service attacks for hire. These seizures largely disrupted the operations of the denial-of-service platforms, including at least one that collaborated with Butler's Kimwolf botnet" - U.S. Department of Justice.
The investigation itself places at least one of those platforms as collaborating with Kimwolf. This information expands the scope of the case beyond the alleged operator of the network and connects it with the infrastructure of contracted services to launch distributed attacks.
The attack attributed to the Aisuru and Kimwolf networks reached a peak of 31.4 Tbps, while the seizure orders disseminated by the Central District of California were directed against 45 platforms for denial-of-service attacks for hire.