In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf<\/strong>, the world\u2019s largest and most disruptive botnet. Since then, the person in control of Kimwolf \u2014 who goes by the handle \u201cDort<\/strong>\u201d \u2014 has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher\u2019s home. This post examines what is knowable about Dort based on public information.<\/p>\n A public \u201cdox\u201d created in 2020 asserted Dort was a teenager from Canada (DOB August 2003) who used the aliases \u201cCPacket<\/strong>\u201d and \u201cM1ce<\/strong>.\u201d A search on the username CPacket at the open source intelligence platform OSINT Industries<\/strong> finds a GitHub<\/strong> account under the names Dort and CPacket that was created in 2017 using the email address jay.miner232@gmail.com<\/strong>.<\/p>\n Image: osint.industries.<\/p>\n<\/div>\n The cyber intelligence firm Intel 471<\/strong> says jay.miner232@gmail.com was used between 2015 and 2019 to create accounts at multiple cybercrime forums, including Nulled<\/strong> (username \u201cUubuntuu\u201d) and Cracked <\/strong>(user \u201cDorted\u201d); Intel 471 reports that both of these accounts were created from the same Internet address at Rogers Canada (99.241.112.24).<\/p>\n Dort was an extremely active player in the Microsoft game Minecraft<\/strong> who gained notoriety for their \u201cDortware<\/strong>\u201d software that helped players cheat. But somewhere along the way, Dort graduated from hacking Minecraft games to enabling far more serious crimes.<\/p>\n Dort also used the nickname DortDev<\/strong>, an identity that was active in March 2022 on the chat server for the prolific cybercrime group known as LAPSUS$<\/a>. Dort peddled a service for registering temporary email addresses, as well as \u201cDortsolver<\/a>,\u201d code that could bypass various CAPTCHA services designed to prevent automated account abuse. Both of these offerings were advertised in 2022 on SIM Land<\/strong>, a Telegram channel dedicated to SIM-swapping<\/a> and account takeover activity.<\/p>\n The cyber intelligence firm Flashpoint <\/strong>indexed 2022 posts on SIM Land by Dort that show this person developed the disposable email and CAPTCHA bypass services with the help of another hacker who went by the handle \u201cQoft<\/strong>.\u201d<\/p>\n \u201cI legit just work with Jacob,\u201d Qoft said in 2022 in reply to another user, referring to their exclusive business partner Dort. In the same conversation, Qoft bragged that the two had stolen more than $250,000 worth of Microsoft Xbox Game Pass accounts<\/a> by developing a program that mass-created Game Pass identities using stolen payment card data.<\/span><\/p>\n Who is the Jacob that Qoft referred to as their business partner? The breach tracking service Constella Intelligence<\/strong> finds the password used by jay.miner232@gmail.com was reused by just one other email address: jacobbutler803@gmail.com<\/strong>. Recall that the 2020 dox of Dort said their date of birth was August 2003 (8\/03).<\/p>\n Searching this email address at DomainTools.com<\/strong> reveals it was used in 2015 to register several Minecraft-themed domains, all assigned to a Jacob Butler in Ottawa, Canada and to the Ottawa phone number 613-909-9727.<\/p>\n Constella Intelligence finds jacobbutler803@gmail.com was used to register an account on the hacker forum Nulled in 2016, as well as the account name \u201cM1CE\u201d on Minecraft. Pivoting off the password used by their Nulled account shows it was shared by the email addresses j.a.y.m.iner232@gmail.com<\/strong> and jbutl3@ocdsb.ca<\/strong>, the latter being an address at a domain for the Ottawa-Carelton District School Board<\/strong>.<\/p>\n Data indexed by the breach tracking service Spycloud<\/strong> suggests that at one point Jacob Butler shared a computer with his mother and a sibling, which might explain why their email accounts were connected to the password \u201cjacobsplugs.\u201d Neither Jacob nor any of the other Butler household members responded to requests for comment.<\/p>\n The open source intelligence service Epieos<\/strong> finds jacobbutler803@gmail.com created the GitHub account \u201cMemeClient<\/strong>.\u201d Meanwhile, Flashpoint indexed a deleted anonymous Pastebin.com post from 2017 declaring that MemeClient was the creation of a user named CPacket \u2014 one of Dort\u2019s early monikers.<\/p>\n Why is Dort so mad? On January 2, KrebsOnSecurity published The Kimwolf Botnet is Stalking Your Local Network<\/a>, which explored research into the botnet by Benjamin Brundage<\/strong>, founder of the proxy tracking service Synthient<\/strong>. Brundage figured out that the Kimwolf botmasters were exploiting a little-known weakness in residential proxy services to infect poorly-defended devices \u2014 like TV boxes and digital photo frames \u2014 plugged into the internal, private networks of proxy endpoints.<\/p>\n By the time that story went live, most of the vulnerable proxy providers had been notified by Brundage and had fixed the weaknesses in their systems. That vulnerability remediation process massively slowed Kimwolf\u2019s ability to spread, and within hours of the story\u2019s publication Dort created a Discord server in my name that began publishing personal information about and violent threats against Brundage, Yours Truly, and others.<\/p>\n Dort and friends incriminating themselves by planning swatting attacks in a public Discord server.<\/p>\n<\/div>\n Last week, Dort and friends used that same Discord server (then named \u201cKrebs\u2019s Koinbase Kallers\u201d) to threaten a swatting attack against Brundage, again posting his home address and personal information. Brundage told KrebsOnSecurity that local police officers subsequently visited his home in response to a swatting hoax which occurred around the same time that another member of the server posted a door emoji and taunted Brundage further.<\/p>\n Dort, using the alias \u201cMeow,\u201d taunts Synthient founder Ben Brundage with a picture of a door.<\/p>\n<\/div>\n Someone on the server then linked to a cringeworthy (and NSFW) new Soundcloud diss track<\/a> recorded by the user DortDev that included a stickied message from Dort saying, \u201cUr dead nigga. u better watch ur fucking back. sleep with one eye open. bitch.\u201d<\/p>\n \u201cIt\u2019s a pretty hefty penny for a new front door,\u201d the diss track intoned. \u201cIf his head doesn\u2019t get blown off by SWAT officers. What\u2019s it like not having a front door?\u201d<\/p>\n With any luck, Dort will soon be able to tell us all exactly what it\u2019s like.<\/p>\n Update, 10:29 a.m.:<\/strong> Jacob Butler responded to requests for comment, speaking with KrebsOnSecurity briefly via telephone. Butler said he didn\u2019t notice earlier requests for comment because he hasn\u2019t really been online since 2021, after his home was swatted multiple times. He acknowledged making and distributing a Minecraft cheat long ago, but said he hasn\u2019t played the game in years and was not involved in Dortsolver or any other activity attributed to the Dort nickname after 2021.<\/p>\n \u201cIt was a really old cheat and I don\u2019t remember the name of it,\u201d Butler said of his Minecraft modification. \u201cI\u2019m very stressed, man. I don\u2019t know if people are going to swat me again or what. After that, I pretty much walked away from everything, logged off and said fuck that. I don\u2019t go online anymore. I don\u2019t know why people would still be going after me, to be completely honest.\u201d<\/p>\n When asked what he does for a living, Butler said he mostly stays home and helps his mom around the house because he struggles with autism and social interaction. He maintains that someone must have compromised one or more of his old accounts and is impersonating him online as Dort.<\/p>\n \u201cSomeone is actually probably impersonating me, and now I\u2019m really worried,\u201d Butler said. \u201cThis is making me relive everything.\u201d<\/p>\n But there are issues with Butler\u2019s timeline. For example, Jacob\u2019s voice in our phone conversation was remarkably similar to the Jacob\/Dort whose voice can be heard in this Sept. 2022 Clash of Code competition<\/a> between Dort and another coder (Dort lost). At around 6 minutes and 10 seconds into the recording, Dort launches into a cursing tirade that mirrors the stream of profanity in the diss rap that Dortdev posted threatening Brundage. Dort can be heard again at around 16 minutes; at around 26:00, Dort threatens to swat his opponent.<\/p>\n Butler said the voice of Dort is not his, exactly, but rather that of an impersonator who had likely cloned his voice.<\/p>\n \u201cI would like to clarify that was absolutely not me,\u201d Butler said. \u201cThere must be someone using a voice changer. Or something of the sorts. Because people were cloning my voice before and sending audio clips of \u2018me\u2019 saying outrageous stuff.\u201d<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2026\/02\/cpacket-discord.png?resize=749%2C537&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2026\/02\/ben-flyswat.png?resize=750%2C652&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2026\/02\/ben-door.png?resize=748%2C155&ssl=1\")
<\/p>\n