In January 2026, KrebsOnSecurity detailed the disclosure of a critical vulnerability that was weaponized to construct Kimwolf, the world's largest and most disruptive botnet. The entity controlling this digital menace, operating under the alias "Dort," responded not with retreat but with a relentless campaign of retaliation. This offensive has included coordinated distributed denial-of-service (DDoS) attacks, doxing, and email flooding campaigns targeting both the security researcher who exposed the flaw and this publication. The aggression escalated dangerously with a recent "swatting" incident, where a SWAT team was maliciously dispatched to the researcher's home. This analysis pieces together the publicly available information to construct a profile of the individual behind the Kimwolf botnet.
Public records and open-source intelligence (OSINT) paint a preliminary picture of "Dort." A 2020 doxing post alleged Dort was a Canadian teenager, born in August 2003, who also used the handles "CPacket" and "M1ce." Investigating the username "CPacket" on platforms like OSINT Industries reveals a GitHub account created in 2017 under the names Dort and CPacket, registered to the email address jay.miner232@gmail.com. Cyber intelligence firm Intel 471 corroborates this trail, reporting that the same email was used between 2015 and 2019 to register accounts on prominent cybercrime forums such as Nulled (as "Uubuntuu") and Cracked (as "Dorted"). Notably, Intel 471 states both forum accounts were created from the same Rogers Canada IP address: 99.241.112.24.
Dort's origins appear rooted in the gaming community, specifically within the Microsoft game *Minecraft*, where they gained notoriety. Their claim to fame was "Dortware," a software suite designed to help players cheat. This period seems to have been a formative phase, a proving ground for technical skills that would later be directed toward more severe criminal enterprises. The transition from game hacking to facilitating large-scale cybercrime marks a significant escalation in Dort's activities.
Further evidence of this escalation is found in Dort's connections to professional cybercriminal ecosystems. Using the alias DortDev, they were active in March 2022 on the chat server of the notorious LAPSUS$ cybercrime group. On these platforms, Dort marketed services crucial for anonymizing malicious operations: a tool for registering temporary, disposable email addresses and "Dortsolver," a piece of code engineered to bypass CAPTCHA security measures. These services, advertised throughout 2022, are fundamental enablers for automated account creation, credential stuffing, and spam campaigns, positioning Dort as a supplier within the cybercrime supply chain. The journey from a *Minecraft* cheat developer to a botnet master and service provider for groups like LAPSUS$ illustrates a disturbing career path in modern cybercrime.
