In early January 2026, KrebsOnSecurity disclosed a significant security breach involving the individual behind Kimwolf, the world’s most aggressive and expansive botnet. This development arose from a vulnerability unearthed by a security researcher. The individual who controls Kimwolf, known only by the alias “Dort,” has since engaged in a relentless campaign of cyberattacks that include distributed denial-of-service (DDoS) assaults, doxing, and email flooding targeting both the researcher and the author of the article. Most alarmingly, Dort even orchestrated a SWAT team response to the researcher’s residence. This article aims to explore the available public information on Dort to gain a clearer understanding of this enigmatic figure.
A public dox from 2020 claims that Dort is a teenager from Canada, born in August 2003, and he has utilized various online monikers, including “CPacket” and “M1ce.” Investigating the username CPacket through the open-source intelligence platform OSINT Industries reveals a GitHub account linked to both Dort and CPacket, created in 2017 with the email address jay.miner232@gmail.com. The cyber intelligence firm Intel 471 corroborates this by indicating that this email was used between 2015 and 2019 to establish accounts on various cybercrime forums, notably Nulled and Cracked. Interestingly, Intel 471 identified that both of these accounts were registered from the same IP address associated with Rogers Canada.
Initially recognized as an active player in the popular game Minecraft, Dort gained notoriety for developing “Dortware,” software designed to facilitate cheating within the game. However, over time, his pursuits escalated from gaming exploits to engaging in significantly more serious criminal activities. The pseudonym “DortDev” further identifies him; this identity was associated with a March 2022 chat on the platform for LAPSUS$, a noteworthy cybercrime group. Here, Dort marketed services for creating temporary email addresses and a program called “Dortsolver,” which bypasses various CAPTCHA systems meant to obstruct automated abuses of account creation.
Flashpoint, another cyber intelligence firm, has indexed several posts on the SIM Land Telegram channel, which demonstrates that Dort developed both the disposable email service and CAPTCHA bypass tool in collaboration with another hacker known as “Qoft.” Throughout their conversations, Qoft implied that he and Dort had successfully stolen over $250,000 worth of Microsoft Xbox Game Pass accounts through a sophisticated program designed to mass-generate Game Pass identities using stolen payment card information.
Research conducted by Constella Intelligence attempts to identify Qoft’s business partner, whom he referred to as Jacob. Further inquiries uncovered an email address, jacobbutler803@gmail.com, associated with the same password as Dort’s account. This raises potential implications regarding Dort’s real identity. Registrations of Minecraft-themed domains linked to Jacob Butler in Ottawa, Canada, and a corresponding phone number also indicate that this new lead might be pivotal in revealing Dort’s true identity.
Moreover, Jacob Butler was seen to have registered an account on the hacker forum Nulled in 2016 and even had a Minecraft account under the alias “M1CE.” Breach monitoring service Spycloud suggests Jacob Butler very likely shared a computer with family members, resulting in password collisions that might shed light on the interconnectedness of their cybersecurity practices.
Epieos, another open-source intelligence service, linked the GitHub account “MemeClient” to jacobbutler803@gmail.com, connecting it to a historical anonymous post that identified MemeClient as a brainchild of CPacket, one of Dort’s earlier aliases.
The increasing animosity from Dort can be traced back to an article published by KrebsOnSecurity on January 2, titled “The Kimwolf Botnet is Stalking Your Local Network.” This article highlighted research conducted by Benjamin Brundage, the founder of the proxy tracking service Synthient. Brundage had identified a little-known vulnerability in residential proxy services, which Kimwolf had exploited to spread malware into poorly secured devices connected to these networks.
Following the publication, most of the identified vulnerabilities were rectified by proxy service providers, significantly hampering Kimwolf’s proliferation capabilities. In a swift retaliatory action, Dort launched a Discord server under the guise of the article’s author, disseminating personal threats and sensitive information about Brundage and the KrebsOnSecurity team.
Recently, this Discord channel transformed into a platform for a further escalation of threats, as Dort and his associates discussed swatting attacks against Brundage. Under the auspices of their Discord, members disseminated personal details, including Brundage’s home address, prompting a real-world police response to his residence.
In a disturbing display, Dort further intimidated Brundage with a diss track uploaded to Soundcloud, filled with violent threats, including explicit instructions to “watch your back.”
As the law enforcement and cybersecurity communities continue to monitor this dangerous individual, the anticipation builds surrounding how Dort’s activities may evolve and what consequences he may ultimately face for his cybercrimes.