In early January 2026, KrebsOnSecurity revealed how a safety researcher disclosed a vulnerability that was used to construct Kimwolf<\/strong>, the world\u2019s largest and most disruptive botnet. Since then, the individual in charge of Kimwolf \u2014 who goes by the deal with \u201cDort<\/strong>\u201d \u2014 has coordinated a barrage of distributed denial-of-service (DDoS), doxing and electronic mail flooding assaults in opposition to the researcher and this writer, and extra not too long ago brought about a SWAT group to be despatched to the researcher\u2019s house. This put up examines what’s knowable about Dort based mostly on public info.<\/p>\n

A public \u201cdox\u201d created in 2020 asserted Dort was a youngster from Canada (DOB August 2003) who used the aliases \u201cCPacket<\/strong>\u201d and \u201cM1ce<\/strong>.\u201d A search on the username CPacket on the open supply intelligence platform OSINT Industries<\/strong> finds a GitHub<\/strong> account underneath the names Dort and CPacket that was created in 2017 utilizing the e-mail tackle jay.miner232@gmail.com<\/strong>.<\/p>\n

$\"\"$ <\/p>\n
Picture: osint.industries.<\/p>\n<\/div>\n
The cyber intelligence agency Intel 471<\/strong> says jay.miner232@gmail.com was used between 2015 and 2019 to create accounts at a number of cybercrime boards, together with Nulled<\/strong> (username \u201cUubuntuu\u201d) and Cracked <\/strong>(consumer \u201cDorted\u201d); Intel 471 experiences that each of those accounts have been created from the identical Web tackle at Rogers Canada (99.241.112.24).<\/p>\n
Dort was a particularly energetic participant within the Microsoft recreation Minecraft<\/strong> who gained notoriety for his or her \u201cDortware<\/strong>\u201d software program that helped gamers cheat. However someplace alongside the best way, Dort graduated from hacking Minecraft video games to enabling way more severe crimes.<\/p>\n
Dort additionally used the nickname DortDev<\/strong>, an identification that was energetic in March 2022 on the chat server for the prolific cybercrime group referred to as LAPSUS$<\/a>. Dort peddled a service for registering short-term electronic mail addresses, in addition to \u201c Dortsolver<\/a>,\u201d code that might bypass numerous CAPTCHA companies designed to stop automated account abuse. Each of those choices have been marketed in 2022 on SIM Land<\/strong>, a Telegram channel devoted to SIM-swapping<\/a> and account takeover exercise.<\/p>\n
The cyber intelligence agency Flashpoint <\/strong>listed 2022 posts on SIM Land by Dort that present this individual developed the disposable electronic mail and CAPTCHA bypass companies with the assistance of one other hacker who glided by the deal with \u201cQoft<\/strong>.\u201d<\/p>\n
\u201cI legit simply work with Jacob,\u201d Qoft stated in 2022 in reply to a different consumer, referring to their unique enterprise accomplice Dort. In the identical dialog, Qoft bragged that the 2 had stolen greater than $250,000 value of Microsoft Xbox Sport Cross accounts<\/a> by creating a program that mass-created Sport Cross identities utilizing stolen fee card knowledge.<\/p>\n
Who’s the Jacob that Qoft known as their enterprise accomplice? The breach monitoring service Constella Intelligence<\/strong> finds the password utilized by jay.miner232@gmail.com was reused by only one different electronic mail tackle: jacobbutler803@gmail.com<\/strong>. Recall that the 2020 dox of Dort stated their date of delivery was August 2003 (8\/03).<\/p>\n
Looking this electronic mail tackle at DomainTools.com<\/strong> reveals it was utilized in 2015 to register a number of Minecraft-themed domains, all assigned to a Jacob Butler in Ottawa, Canada and to the Ottawa telephone quantity 613-909-9727.<\/p>\n
Constella Intelligence finds jacobbutler803@gmail.com was used to register an account on the hacker discussion board Nulled in 2016, in addition to the account title \u201cM1CE\u201d on Minecraft. Pivoting off the password utilized by their Nulled account reveals it was shared by the e-mail addresses j.a.y.m.iner232@gmail.com<\/strong> and jbutl3@ocdsb.ca<\/strong>, the latter being an tackle at a website for the Ottawa-Carelton District College Board<\/strong>.<\/p>\n
Knowledge listed by the breach monitoring service Spycloud<\/strong> means that at one level Jacob Butler shared a pc together with his mom and a sibling, which could clarify why their electronic mail accounts have been linked to the password \u201cjacobsplugs.\u201d Neither Jacob nor any of the opposite Butler family members responded to requests for remark.<\/p>\n
The open supply intelligence service Epieos<\/strong> finds jacobbutler803@gmail.com created the GitHub account \u201cMemeClient<\/strong>.\u201d In the meantime, Flashpoint listed a deleted nameless Pastebin.com put up from 2017 declaring that MemeClient was the creation of a consumer named CPacket \u2014 one in every of Dort\u2019s early monikers.<\/p>\n
Why is Dort so mad? On January 2, KrebsOnSecurity revealed The Kimwolf Botnet is Stalking Your Native Community<\/a>, which explored analysis into the botnet by Benjamin Brundage<\/strong>, founding father of the proxy monitoring service Synthient<\/strong>. Brundage found out that the Kimwolf botmasters have been exploiting a little-known weak spot in residential proxy companies to contaminate poorly-defended units \u2014 like TV bins and digital picture frames \u2014 plugged into the inner, non-public networks of proxy endpoints.<\/p>\n
By the point that story went dwell, many of the weak proxy suppliers had been notified by Brundage and had fastened the weaknesses of their methods. That vulnerability remediation course of massively slowed Kimwolf\u2019s capacity to unfold, and inside hours of the story\u2019s publication Dort created a Discord server in my title that started publishing private details about and violent threats in opposition to Brundage, Yours Actually, and others.<\/p>\n
$\"\"$ <\/p>\n
Dort and mates incriminating themselves by planning swatting assaults in a public Discord server.<\/p>\n<\/div>\n
Final week, Dort and mates used that very same Discord server (then named \u201cKrebs\u2019s Koinbase Kallers\u201d) to threaten a swatting assault in opposition to Brundage, once more posting his house tackle and private info. Brundage advised KrebsOnSecurity that native cops subsequently visited his house in response to a swatting hoax which occurred across the identical time that one other member of the server posted a door emoji and taunted Brundage additional.<\/p>\n
$\"\"$ <\/p>\n
Dort, utilizing the alias \u201cMeow,\u201d taunts Synthient founder Ben Brundage with an image of a door.<\/p>\n<\/div>\n
Somebody on the server then linked to a cringeworthy (and NSFW) new Soundcloud diss monitor<\/a> recorded by the consumer DortDev that included a stickied message from Dort saying, \u201cUr lifeless nigga. u higher watch ur fucking again. sleep with one eye open. bitch.\u201d<\/p>\n
\u201cIt\u2019s a fairly hefty penny for a brand new entrance door,\u201d the diss monitor intoned. \u201cIf his head doesn\u2019t get blown off by SWAT officers. What\u2019s it like not having a entrance door?\u201d<\/p>\n
Optimistically, Dort will quickly be capable to inform us all precisely what it\u2019s like.<\/p>\n
Replace, 10:29 a.m.:<\/strong> Jacob Butler responded to requests for remark, talking with KrebsOnSecurity briefly by way of phone. Butler stated he didn\u2019t discover earlier requests for remark as a result of he hasn\u2019t actually been on-line since 2021, after his house was swatted a number of instances. He acknowledged making and distributing a Minecraft cheat way back, however stated he hasn\u2019t performed the sport in years and was not concerned in Dortsolver or some other exercise attributed to the Dort nickname after 2021.<\/p>\n
\u201cIt was a very outdated cheat and I don\u2019t bear in mind the title of it,\u201d Butler stated of his Minecraft modification. \u201cI\u2019m very harassed, man. I don\u2019t know if individuals are going to swat me once more or what. After that, I just about walked away from the whole lot, logged off and stated fuck that. I don\u2019t go surfing anymore. I don\u2019t know why folks would nonetheless be going after me, to be utterly trustworthy.\u201d<\/p>\n
When requested what he does for a dwelling, Butler stated he largely stays house and helps his mother round the home as a result of he struggles with autism and social interplay. He maintains that somebody should have compromised a number of of his outdated accounts and is impersonating him on-line as Dort.<\/p>\n
\u201cSomebody is definitely in all probability impersonating me, and now I\u2019m actually anxious,\u201d Butler stated. \u201cThat is making me relive the whole lot.\u201d<\/p>\n
However there are points with Butler\u2019s timeline. For instance, Jacob\u2019s voice in our telephone dialog was remarkably much like the Jacob\/Dort whose voice will be heard in this Sept. 2022 Conflict of Code competitors<\/a> between Dort and one other coder (Dort misplaced). At round 6 minutes and 10 seconds into the recording, Dort launches right into a cursing tirade that mirrors the stream of profanity within the diss rap that Dortdev posted threatening Brundage. Dort will be heard once more at round 16 minutes; at round 26:00, Dort threatens to swat his opponent.<\/p>\n
Butler stated the voice of Dort just isn’t his, precisely, however slightly that of an impersonator who had possible cloned his voice.<\/p>\n
\u201cI want to make clear that was completely not me,\u201d Butler stated. \u201cThere have to be somebody utilizing a voice changer. Or one thing of the kinds. As a result of folks have been cloning my voice earlier than and sending audio clips of \u2018me\u2019 saying outrageous stuff.\u201d<\/p>\n<\/p><\/div>\n\n","protected":false},"excerpt":{"rendered":"
In early January 2026, KrebsOnSecurity revealed how a safety researcher disclosed a vulnerability that was used to construct Kimwolf, the world\u2019s largest and most disruptive botnet. Since then, the individual in charge of Kimwolf \u2014 who goes by the deal with \u201cDort\u201d \u2014 has coordinated a barrage of distributed denial-of-service (DDoS), doxing and electronic mail […]<\/p>\n","protected":false},"author":2,"featured_media":12280,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[8035,8036,7225,262,211],"class_list":["post-12278","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-botmaster","tag-dort","tag-kimwolf","tag-krebs","tag-security"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/12278","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12278"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/12278\/revisions"}],"predecessor-version":[{"id":12279,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/12278\/revisions\/12279"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/12280"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12278"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12278"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12278"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}