Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Kimwolf Android botnet expands proxy-relay operations to over 2 million devices

Malware Activity
First reported
Last updated
Happening score
H score 36
2 unique sources, 4 articles

Summary

Hide ▲

The Kimwolf Android botnet continued to evolve as a proxy-relay and DDoS operation built on more than 2 million infected devices, with abuse of exposed ADB services and residential proxy networks. New reporting says the US Justice Department arrested Canadian man Jacob Butler in Canada for allegedly operating the botnet, charging him with aiding and abetting computer intrusion and seeking extradition. The botnet has been tied to record-breaking DDoS activity, including attacks around 31.4 Tbps, and the broader law-enforcement response has also disrupted related DDoS-for-hire infrastructure.

Related Happenings

Kimwolf operators build a cybercrime-as-a-service DDoS access market

Threat Actor Meta
First: 22.05.2026 11:50 Last: 22.05.2026 11:50 Sources 1

About this happening: The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...

Open Happening

Jacob Butler Kimwolf arrest and cross-border charges

Law Enforcement
First: 22.05.2026 00:50 Last: 22.05.2026 00:50 Sources 1

How related: The US Justice Department announced on Thursday that a Canadian man has been arrested for operating the recently disrupted Kimwolf DDoS botnet.

About this happening: Canadian authorities **arrested Jacob Butler (“Dort”)** in **Ottawa** over the **Kimwolf DDoS botnet** case. The move escalates a **cross-border cybercrime prosecution** that also...

Open Happening

Dort-linked DDoS, doxing, and swatting campaign against researchers

Campaign
First: 22.05.2026 00:50 Last: 22.05.2026 00:50 Sources 1

How related: after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher.

About this happening: The **Dort**-linked harassment campaign targeted **this author and a security researcher**, using **DDoS, doxing, and swatting** to intimidate the people investigating the operato...

Open Happening

Xlabs_v1 Mirai-derived ADB DDoS botnet

Malware Activity
First: 06.05.2026 23:21 Last: 06.05.2026 23:21 Sources 1

About this happening: The **xlabs_v1** Mirai-derived botnet has been exposed as a **DDoS** tool that abuses **Android Debug Bridge (ADB)** on internet-facing devices, expanding risk to **Android**, rou...

Open Happening

China-nexus hijacked-device proxy network campaign

Campaign
First: 23.04.2026 15:28 Last: 23.04.2026 15:28 Sources 1

About this happening: China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....

Open Happening

Timeline

  1. 20.03.2026 08:25 2 articles · 2mo ago

    DoJ disrupts Kimwolf C2 infrastructure

    Legal Policy Action Update

    The U.S. Department of Justice announced a court-authorized law-enforcement operation that disrupted command-and-control (C2) infrastructure used by the IoT botnets AISURU, Kimwolf, JackSkid, and Mossad, with assistance from Canada, Germany, and private sector firms including Akamai, Amazon Web Services, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. The botnets were linked to distributed denial-of-service (DDoS) attacks targeting victims worldwide and to more than 2 million Android devices, while the four botnets were estimated to have infected no less than 3 million devices worldwide.

    Show sources
    Open in new tab
  2. 14.01.2026 21:03 1 articles · 4mo ago

    Black Lotus Labs reports null-routing of more than 550 AISURU/Kimwolf C2 nodes

    Technical Analysis Update

    Black Lotus Labs said it null-routed traffic to more than 550 AISURU/Kimwolf C2 nodes and linked the botnet infrastructure to residential proxy abuse, exposed ADB propagation, and vulnerable proxy-service scanning. The report also described a 300% surge in new Kimwolf bots in early October 2025 and scanning of PYPROXY and other services between October 20, 2025, and November 6, 2025.

    Show sources
    Open in new tab
  3. 05.01.2026 18:41 2 articles · 4mo ago

    Kimwolf Android botnet expands proxy-relay operations to over 2 million devices

    Initial Disclosure

    Kimwolf first emerged as an Android botnet tied to **AISURU** and began spreading through **exposed ADB** services. Early operations focused on turning infected devices into a **residential proxy** and **DDoS** relay network.

    Show sources
    Open in new tab