A Canadian man was arrested this week on charges of operating a large botnet taken down by law enforcement agencies earlier this year. 

Jacob Butler was arrested in Ottawa on Wednesday after the U.S. Justice Department filed an extradition warrant tied to his operation of the KimWolf botnet, one of the largest and most damaging distributed denial-of-service (DDoS) platforms in the world. DDoS platforms flood targeted websites and servers with junk traffic, making them unreachable.

Butler, 23, was initially identified by cybersecurity journalist Brian Krebs in February and denied being behind the online persona known as “Dort” that ran KimWolf.

In court documents unsealed on Thursday, the Justice Department said Butler ran KimWolf as a DDoS-for-hire service that infected over a million devices worldwide. The complaint was filed on April 10 and was sealed pending his arrest. 

Butler was charged with one count of aiding and abetting computer intrusion. He is facing up to 10 years in prison if convicted. 

KimWolf was taken down in March as part of a larger international law enforcement operation involving officials in the U.S., Canada, Germany as well as several cybersecurity companies. 

Law enforcement seized infrastructure used by KimWolf and several other botnets including Aisuru, JackSkid and Mossad. The KimWolf botnet was made up of devices that were typically behind firewalls, including digital photo frames and web cameras. 

The operators then sold access to the devices to cybercriminals, who used them for a variety of purposes including launching DDoS attacks on businesses. In at least one instance, a DDoS attack targeted IP addresses owned by the Department of Defense.

“KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume,” prosecutors said. “These attacks resulted in financial losses which, for some victims, exceeded one million dollars. The KimWolf botnet is alleged to have issued over 25,000 attack commands.”

The DOJ previously said victims of the DDoS attacks lost hundreds of thousands of dollars through remediation expenses or ransom demands from hackers who would only stop overloading websites for a price. 

Court documents said Butler was linked to the administration of the KimWolf botnet through his IP address, account information, transactions, online messages and more. 

The Justice Department said it also unsealed seizure warrants targeting other services that supported another 45 DDoS-for-hire platforms, including at least one that worked with KimWolf.

DDoS mitigation firms like Cloudflare warned for years about KimWolf, writing in recent months that the botnet had thousands of devices at its disposal and could launch DDoS attacks that could “cripple critical infrastructure, crash most legacy cloud-based DDoS protection solutions, and even disrupt the connectivity of entire nations.”

In a blog post, Amazon vice president Tom Scholl said the company helped the FBI and Defense Department identify the botnet's command-and-control infrastructure and reverse engineered the malware to understand its operations.

Scholl said Kimwolf was a novel botnet because it targeted residential proxy networks, infiltrating home networks through compromised devices — including streaming TV boxes and other IoT devices.