Krebs on Security reports that Jacob Butler, the 18-year-old Ottawa resident allegedly known online as 'Dort,' has been arrested and charged in both the US and Canada with running the Kimwolf IoT botnet. KrebsOnSecurity unmasked Butler as the operator on February 28 by tying together his email addresses, forum registrations, and public Telegram and Discord posts. Dort later threatened and swatted researchers including Synthient's Ben Brundage. Ontario Provincial Police executed a search warrant in Ottawa on March 19 and seized devices. Kimwolf competed with Aisuru, JackSkid, and Mossad for the same vulnerable-IoT population. Butler faces up to 10 years if extradited and convicted in the US.
Update on the Instructure breach we covered May 4: ShinyHunters has shifted from extorting Instructure itself to extorting individual schools and universities with their own Canvas data. BleepingComputer and Krebs on Security report that 8,800+ institutions have received direct ransom demands referencing real student records, teacher accounts, and gradebook data from their own Canvas tenants. The campaign mirrors the 2025 PowerSchool aftermath. Some schools are receiving demands sized to the institution. Krebs notes affected schools are scrambling to comply with state student-privacy laws while negotiating with attackers.
Brian Krebs published an investigation showing that Huge Networks, a Brazilian DDoS protection firm, has been running the Mirai-based botnet behind a years-long DDoS campaign against other Brazilian ISPs. An exposed open directory revealed Portuguese-language Python attack scripts that relied on the personal SSH keys of Huge Networks CEO Erick Nascimento. The botnet ran on compromised TP-Link Archer AX21 routers and unmanaged DNS servers, attacking Brazilian IP prefixes for 10-60 seconds at a time. Nascimento says a January 2026 intrusion compromised his SSH keys; he denies running the attacks. ISPs say the attacks have been ongoing since December 2024.