Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: krebs (3 articles)Clear

Alleged Kimwolf IoT botmaster 'Dort' arrested in Ottawa, charged in US and Canada - swatting attacks against researchers cited

Krebs on Security reports that Jacob Butler, the 18-year-old Ottawa resident allegedly known online as 'Dort,' has been arrested and charged in both the US and Canada with running the Kimwolf IoT botnet. KrebsOnSecurity unmasked Butler as the operator on February 28 by tying together his email addresses, forum registrations, and public Telegram and Discord posts. Dort later threatened and swatted researchers including Synthient's Ben Brundage. Ontario Provincial Police executed a search warrant in Ottawa on March 19 and seized devices. Kimwolf competed with Aisuru, JackSkid, and Mossad for the same vulnerable-IoT population. Butler faces up to 10 years if extradited and convicted in the US.

Check
Search EDR and netflow telemetry for outbound connections from IoT devices to known Kimwolf, Aisuru, JackSkid, and Mossad C2 sets. Inventory unpatched IoT devices on residential and SMB networks.
Affected
IoT devices - mostly routers, NVRs, and consumer IP cameras - vulnerable to the unpatched flaws Kimwolf was using to spread. Synthient helped patch the underlying weakness earlier this year.
Fix
Update firmware on all IoT and network-edge devices and disable WAN-side admin interfaces. Block known Kimwolf C2 ranges. Monitor for the lateral spread patterns documented by Synthient.

ShinyHunters is now extorting individual schools using stolen Canvas data - thousands of K-12 districts and universities receiving direct ransom demands

Update on the Instructure breach we covered May 4: ShinyHunters has shifted from extorting Instructure itself to extorting individual schools and universities with their own Canvas data. BleepingComputer and Krebs on Security report that 8,800+ institutions have received direct ransom demands referencing real student records, teacher accounts, and gradebook data from their own Canvas tenants. The campaign mirrors the 2025 PowerSchool aftermath. Some schools are receiving demands sized to the institution. Krebs notes affected schools are scrambling to comply with state student-privacy laws while negotiating with attackers.

Check
If your school uses Canvas, check whether you've received any direct extortion communications referencing real Canvas data since May 4. Audit Canvas API access logs for bulk data exports between February and April.
Affected
8,800+ schools, universities, and corporate training organizations using Canvas. K-12 districts face acute risk under state student-privacy laws (NY 2-d, California SOPIPA, ~130 similar statutes) plus COPPA for under-13 student data. Universities face FERPA exposure. Smaller institutions without legal counsel are most likely to pay rather than report.
Fix
Do not respond directly to extortion communications - report to FBI IC3 first and consult legal counsel before any contact. Notify affected students, parents, and faculty per state notification timelines (most require 30-60 days). Issue COPPA and FERPA notifications where applicable. Rotate Canvas API keys and re-authorize integrations. Track Instructure's response separately - many schools report the vendor unresponsive on individual cases.

Brazilian anti-DDoS firm Huge Networks was running a Mirai botnet that knocked Brazilian ISPs offline for years - either to drum up business or because someone breached their CEO's SSH keys

Brian Krebs published an investigation showing that Huge Networks, a Brazilian DDoS protection firm, has been running the Mirai-based botnet behind a years-long DDoS campaign against other Brazilian ISPs. An exposed open directory revealed Portuguese-language Python attack scripts that relied on the personal SSH keys of Huge Networks CEO Erick Nascimento. The botnet ran on compromised TP-Link Archer AX21 routers and unmanaged DNS servers, attacking Brazilian IP prefixes for 10-60 seconds at a time. Nascimento says a January 2026 intrusion compromised his SSH keys; he denies running the attacks. ISPs say the attacks have been ongoing since December 2024.

Check
If you run a TP-Link Archer AX21 router or any consumer router for business use, factory-reset it and update to the latest firmware - they remain a primary Mirai botnet recruitment target.
Affected
TP-Link Archer AX21 routers and similar consumer-grade equipment remain widely used as Mirai botnet members. Brazilian ISPs are the targets, but Mirai variants are used worldwide. The deeper pattern: DDoS protection firms turning out to be the source of the attacks they bill to mitigate is recurring (Krebs identified the original 2016 Mirai authors as DDoS provider co-owners).
Fix
For TP-Link Archer AX21 owners: factory reset, update firmware, disable WAN-side admin access. Replace if firmware is end-of-life. For organizations evaluating DDoS providers: ask for clear separation between attack telemetry and customer acquisition, request audited proof of how attack traffic is sourced, and consider providers in jurisdictions with stronger anti-fraud regulations.