Digital Vendetta: The Unmasking of “Dort,” the Kimwolf Botmaster Behind a Global Swatting Campaign

In early January, a veritable tempest engulfed the sprawling Kimwolf botnet. Following the publication of an exposé detailing how a vulnerability within residential proxy services facilitated the construction of a colossal network of compromised devices, an individual operating under the pseudonym “Dort” launched a relentless offensive. The author of the report and the security specialist who unmasked the subterranean architecture were subjected to a barrage of DDoS attacks, email inundations, the public dissemination of their personal data, and ultimately, the deployment of a heavily armed tactical police unit to the researcher’s residence under false pretenses.

A public dossier, disseminated as early as 2020, alleged that the moniker “Dort” was a digital veil for a Canadian adolescent named Jacob Butler, born in August 2003. The digital ether also whispered of other aliases, notably “CPacket” and “M1ce.” According to the intelligence platform OSINT Industries, a GitHub repository bearing the names Dort and CPacket was established in 2017 utilizing the email address jay.miner232@gmail.com.

The cybersecurity firm Intel 471 disclosed that this precise email address was employed between 2015 and 2019 to secure registrations on the illicit cybercrime forums Nulled and Cracked. Both accounts were instantiated from a singular Canadian IP address allocated to the internet service provider Rogers.

Dort’s nascent digital footprint was etched within the realm of Minecraft, where a cheating utility was propagated under the pseudonym “Dortware.” Eventually, these endeavors transcended the boundaries of the virtual playground. In 2022, the handle “DortDev” materialized on a Discord server intertwined with the notorious LAPSUS$ syndicate. There, the user peddled a service for fabricating ephemeral email addresses alongside “Dortsolver,” an instrument engineered to circumvent CAPTCHA verification systems. These illicit wares were brazenly advertised within “SIM Land,” a Telegram channel dedicated to the clandestine arts of SIM swapping and account hijacking.

According to Flashpoint, these services were cultivated in concert with a fellow hacker known as “Qoft.” In intercepted correspondences, Qoft boasted that he and “Jacob” had pilfered an excess of $250,000 by procuring Xbox Game Pass subscriptions with misappropriated credit card credentials.

The analytics service Constella Intelligence unearthed that the cryptographic password securing jay.miner232@gmail.com perfectly mirrored the passphrase for jacobbutler803@gmail.com. This latter address was instrumental in registering Minecraft-related domains in 2015, explicitly citing the name Jacob Butler, the city of Ottawa, and a localized telephone number. Subsequently, this email was inextricably linked to the Nulled forum and the Minecraft alias M1CE. Yet another email address, sharing this identical password, was tethered to the domain of the Ottawa school board.

Spycloud’s telemetry suggested that the terminal hosting a portion of these accounts might have been utilized by multiple members of the Butler household. For a protracted period, the family maintained a stoic silence in response to journalistic inquiries seeking comment.

The genesis of this contemporary imbroglio stems from the publication concerning the Kimwolf botnet. Benjamin Brundage, a specialist and the visionary behind the proxy-tracking service Synthient, deduced that the network’s architects had exploited a critical vulnerability within the infrastructure of residential proxies. Through this clandestine conduit, they infected devices sequestered within private networks, encompassing everything from television set-top boxes to digital photo frames. Upon being alerted, the service providers abruptly sealed the breach, thereby precipitating a drastic deceleration in the botnet’s proliferation.

Mere hours following the article’s dissemination, Dort forged a Discord server masquerading as the investigative author, callously broadcasting Brundage’s intimate personal data alongside menacing threats. Subsequently, denizens of this server threatened to orchestrate a “swatting” raid upon Brundage’s domicile. Tragically, law enforcement did descend upon the residence, responding to a fabricated report of an armed transgression. Concurrently, the chat logs overflowed with derision and veiled allusions to the unfolding real-world drama.

Within this very digital enclave, an aggressively hostile audio recording was uploaded, replete with threats. The broadcast harbored dark intimations of a potential swatting and even death by police crossfire. Chillingly, in an older audio fragment from a 2022 programming competition dubbed “Clash of Code,” a participant adopting the moniker “Dort” similarly threatened an adversary with a malicious police dispatch.

In the wake of the exposé’s publication, Jacob Butler initiated a telephonic dialogue with the journalist. Butler vehemently proclaimed that he had long since forsaken the digital underworld, had ceased his Minecraft engagements, and possessed absolutely no affiliation with Dortsolver or any illicit machinations postdating 2021. The young man confided that he, too, had previously fallen victim to the terror of swatting and now lived in dread of its recurrence. Butler attributed the damning correlations to the hypothetical compromise of his antiquated accounts or the sinister manipulation of his voice via vocal alteration software. Nevertheless, the chronology of events invites profound skepticism. The vocal cadences captured in the 2022 competition recordings bear a striking, uncanny resemblance to the voice on the telephone. Butler, however, remains resolute in his assertion that the recordings could have been maliciously spliced or synthetically fabricated.