Who is the Kimwolf Botmaster “Dort”?

Security researchers have identified 'Dort,' operating the Kimwolf botnet, as a Canadian teenager using aliases 'CPacket' and 'M1ce.' Following exposure of the Kimwolf botnet vulnerability in January 2026, Dort orchestrated retaliatory attacks including DDoS, doxing, email bombing, and SWATting against researchers who exposed the botnet. Investigation links Dort to multiple cybercrime forums and services, including a temporary email service and CAPTCHA bypass tool called 'Dortsolver' advertised on SIM-swap channels. Collaborating with an associate 'Qoft,' the actors allegedly stole over $250,000 in Xbox Game Pass accounts through automated fraud. The Kimwolf botnet exploited residential proxy services to infect consumer devices at scale. Organizations should ensure residential proxy providers have patched relevant vulnerabilities and monitor for associated TTPs.

In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to assemble Kimwolf, the world's largest and most disruptive botnet. Since then, the person in control of Kimwolf -- who goes by the handle "Dort" -- has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher's home. This post examines what is knowable about Dort based on public information.

Security researchers have identified 'Dort,' operating the Kimwolf botnet, as a Canadian teenager using aliases 'CPacket' and 'M1ce.' Following exposure of the Kimwolf botnet vulnerability in January 2026, Dort orchestrated retaliatory attacks including DDoS, doxing, email bombing, and SWATting against researchers who exposed the botnet. Investigation links Dort to multiple cybercrime forums and services, including a temporary email service and CAPTCHA bypass tool called 'Dortsolver' advertised on SIM-swap channels. Collaborating with an associate 'Qoft,' the actors allegedly stole over $250,000 in Xbox Game Pass accounts through automated fraud. The Kimwolf botnet exploited residential proxy services to infect consumer devices at scale. Organizations should ensure residential proxy providers have patched relevant vulnerabilities and monitor for associated TTPs. In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to assemble Kimwolf, the world's largest and most disruptive botnet. Since then, the person in control of Kimwolf -- who goes by the handle "Dort" -- has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher's home. This post examines what is knowable about Dort based on public information. In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf , the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “ Dort ” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher’s home. This post examines what is knowable about Dort based on public information. A public “dox” created in 2020 asserted Dort was a teenager from Canada (DOB August 2003) who used the aliases “ CPacket ” and “ M1ce .” A search on the username CPacket at the open source intelligence platform OSINT Industries finds a GitHub account under the names Dort and CPacket that was created in 2017 using the email address [email protected] . Image: osint.industries. The cyber intelligence firm Intel 471 says [email protected] was used between 2015 and 2019 to create accounts at multiple cybercrime forums, including Nulled (username “Uubuntuu”) and Cracked (user “Dorted”); Intel 471 reports that both of these accounts were created from the same Internet address at Rogers Canada (99.241.112.24). Dort was an extremely active player in the Microsoft game Minecraft who gained notoriety for their “ Dortware ” software that helped players cheat. But somewhere along the way, Dort graduated from hacking Minecraft games to enabling far more serious crimes. Dort also used the nickname DortDev , an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$ . Dort peddled a service for registering temporary email addresses, as well as “ Dortsolver ,” code that could bypass various CAPTCHA services designed to prevent automated account abuse. Both of these offerings were advertised in 2022 on SIM Land , a Telegram channel dedicated to SIM-swapping and account takeover activity. The cyber intelligence firm Flashpoint indexed 2022 posts on SIM Land by Dort that show this person developed the disposable email and CAPTCHA bypass services with the help of another hacker who went by the handle “ Qoft .” “I legit just work with Jacob,” Qoft said in 2022 in reply to another user, referring to their exclusive business partner Dort. In the same conversation, Qoft bragged that the two had stolen more than $250,000 worth of Microsoft Xbox Game Pass accounts by developing a program that mass-created Game Pass identities using stolen payment card data. Who is the Jacob that Qoft referred to as their business partner? The breach tracking service Constella Intelligence finds the password used by [email protected] was reused by just one other email address: [email protected] . Recall that the 2020 dox of Dort said their date of birth was August 2003 (8/03). Searching this email address at DomainTools.com reveals it was used in 2015 to register several Minecraft-themed domains, all assigned to a Jacob Butler in Ottawa, Canada and to the Ottawa phone number 613-909-9727. Constella Intelligence finds [email protected] was used to register an account on the hacker forum Nulled in 2016, as well as the account name “M1CE” on Minecraft. Pivoting off the password used by their Nulled account shows it was shared by the email addresses [email protected] and [email protected] , the latter being an address at a domain for the Ottawa-Carelton District School Board . Data indexed by the breach tracking service...