Dort / DortDev abuse-enablement ecosystem behind Kimwolf
Threat Actor Meta
Summary
Hide ▲
Show ▼
Public tracing in 2026 tied Dort / DortDev to the Kimwolf operator and to underground services that enabled account abuse at scale. The linkage matters because the same identity appears across LAPSUS$-adjacent spaces, cybercrime forums, and Telegram channels focused on SIM-swapping and account takeover. Disposable-email registration and CAPTCHA bypass tooling gave the operator infrastructure for automated signups, evasion, and bulk abuse. The profile also connects that ecosystem to theft and monetization of Microsoft Xbox Game Pass accounts.
Related Happenings
REF6045 ClickFix banking fraud campaign targeting Mexican financial users
Campaign
H score36
First: 08.07.2026 15:52
Last: 08.07.2026 15:52
Sources 1
About this happening:
The **REF6045** campaign is actively targeting **customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges**, using **ClickFix** lures to push victims...
REF6045 ClickFix banking fraud campaign targeting Mexican financial users
CampaignAbout this happening: The **REF6045** campaign is actively targeting **customers of Mexican banks, fintechs, payment processors, and cryptocurrency exchanges**, using **ClickFix** lures to push victims...
Vidar Stealer ClickFix campaign targeting multiple sectors
Campaign
H score38
First: 08.05.2026 14:00
Last: 08.05.2026 14:00
Sources 1
About this happening:
The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Vidar Stealer ClickFix campaign targeting multiple sectors
CampaignAbout this happening: The **Vidar Stealer** campaign is using **ClickFix** social engineering and compromised **WordPress** sites to deliver password-stealing malware, widening risk for **infrastructur...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
H score37
First: 23.03.2026 20:09
Last: 23.03.2026 20:09
Sources 1
About this happening:
A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
CampaignAbout this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Signal and WhatsApp anti-phishing account-hardening guidance
Defensive Guidance
H score26
First: 21.03.2026 15:17
Last: 21.03.2026 15:17
Sources 1
About this happening:
A **UK National Cyber Security Centre (NCSC)** alert on **March 31** warned that **Russia-based actors** are increasing **targeted attacks** against **high-risk individuals** usin...
Signal and WhatsApp anti-phishing account-hardening guidance
Defensive GuidanceAbout this happening: A **UK National Cyber Security Centre (NCSC)** alert on **March 31** warned that **Russia-based actors** are increasing **targeted attacks** against **high-risk individuals** usin...
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
Campaign
H score38
First: 09.03.2026 23:24
Last: 09.03.2026 23:24
Sources 1
About this happening:
An **ongoing Russian intelligence-linked** phishing **campaign** is targeting **Signal** and **WhatsApp** users and has evolved from stealing verification codes and account PINs t...
Russian state-sponsored hackers' ongoing Signal and WhatsApp phishing campaign
CampaignAbout this happening: An **ongoing Russian intelligence-linked** phishing **campaign** is targeting **Signal** and **WhatsApp** users and has evolved from stealing verification codes and account PINs t...
Latest development: 27.06.2026 01:06
FBI and CISA warn that the Russian intelligence services-linked Signal phishing campaign has evolved from stealing verification codes, account PINs, and linked-device access to eliciting victims' Backup Recovery Keys through impersonated Signal support messages. If a target provides the key, attackers can restore Signal's Secure Backups on their own devices and read historical messages, including private and group conversations, while the campaign continues to target high-intelligence-value individuals.
Timeline
-
28.02.2026 14:01 1 articles · 4mo ago
Kimwolf retaliation against researchers on January 2, 2026
Victim Impact UpdateWithin hours of the January 2, 2026 publication about the Kimwolf botnet, Dort created a Discord server in the name of KrebsOnSecurity and used it to publish personal information and violent threats against Benjamin Brundage and the author, while also driving DDoS abuse, doxing, and email flooding.
Show sources
- Who is the Kimwolf Botmaster “Dort”? — krebsonsecurity.com — 28.02.2026 14:01
-
28.02.2026 14:01 2 articles · 4mo ago
Profile ties Dort to aliases and abuse-enablement tooling
Attribution UpdatePublic OSINT and breach-data pivots connect Dort to the aliases CPacket, M1ce, DortDev, and MemeClient, a 2017 GitHub account, forum accounts on Nulled and Cracked, and 2022 promotion of temporary-email registration and Dortsolver CAPTCHA-bypass tooling; the same identity also appears in March 2022 LAPSUS$ chat activity and in a theft scheme that stole more than $250,000 worth of Microsoft Xbox Game Pass accounts.
Show sources
- Who is the Kimwolf Botmaster “Dort”? — krebsonsecurity.com — 28.02.2026 14:01
- Who is the Kimwolf Botmaster “Dort”? — krebsonsecurity.com — 28.02.2026 14:01