In January 2026, a security researcher's disclosure of a critical vulnerability revealed the infrastructure behind Kimwolf, the world's largest and most disruptive botnet. This act of transparency triggered a relentless campaign of retaliation from the botnet's controller, an individual using the alias "Dort." The retaliation has included coordinated distributed denial-of-service (DDoS) attacks, doxing, email flooding campaigns targeting the researcher and journalists, and most alarmingly, orchestrating a SWATting incident that sent an armed police response team to the researcher's home. This escalation from digital harassment to real-world endangerment underscores the severe threat posed by modern cybercriminals and prompts a critical investigation into the identity behind the "Dort" persona, pieced together from publicly available information.
Public records and open-source intelligence (OSINT) paint a preliminary picture of Dort. A 2020 doxing post alleged Dort was a Canadian teenager, born in August 2003, who also operated under the aliases "CPacket" and "M1ce." Tracing the username "CPacket" leads to a GitHub account created in 2017 under the names Dort and CPacket, registered with the email address jay.miner232@gmail.com. Cyber intelligence firm Intel 471 corroborates this trail, reporting that this same email was used between 2015 and 2019 to create accounts on prominent cybercrime forums like Nulled (username "Uubuntuu") and Cracked (user "Dorted"). Notably, Intel 471 states both forum accounts were registered from the same Rogers Canada IP address (99.241.112.24), strongly suggesting a single operator behind these identities.
Dort's origins appear rooted in the gaming community, specifically within the ecosystem of Microsoft's Minecraft. There, Dort gained notoriety for developing and distributing "Dortware," a suite of cheating software. This period represents a formative phase, where technical skills in software modification and community disruption were honed. However, Dort's activities evolved significantly, transitioning from game hacking to facilitating serious cybercrime. By March 2022, an alias "DortDev" was active in the chat server of the infamous LAPSUS$ cybercrime group. In these circles, Dort marketed services crucial for anonymizing malicious operations: a platform for registering temporary, disposable email addresses and "Dortsolver," a tool designed to bypass CAPTCHA security measures that protect websites from automated bot registration and abuse.
The services advertised by Dort—temporary email and CAPTCHA bypass—are fundamental enablers for large-scale cybercrime, including the operation of botnets like Kimwolf. These tools allow threat actors to create countless fake accounts, automate attacks, and obscure their identities. The progression from a Minecraft cheat developer to a supplier for a group like LAPSUS$ illustrates a common pathway in the cybercriminal underworld, where technical prowess is gradually redirected toward increasingly lucrative and harmful ventures. The SWATting attack represents a dangerous new threshold, demonstrating a willingness to weaponize emergency services and create potentially lethal situations to silence critics.
The case of Dort and the Kimwolf botnet is a stark reminder of the interconnected nature of modern cyber threats. It highlights how seemingly low-level activities in gaming communities can serve as a training ground for more sophisticated criminals, and how the tools they create fuel global cybercrime epidemics. The retaliation against researchers also poses a profound challenge to cybersecurity accountability, attempting to intimidate those who work to expose vulnerabilities and malicious infrastructure. As law enforcement and intelligence agencies likely pursue this investigation, the public footprint left by Dort serves as a crucial, albeit complex, map for understanding the human element behind one of the digital era's most powerful disruptive tools.
