A public doxing incident from 2020 asserted that Dort was a teenager residing in Canada, born in August 2003, and also known by the handles "CPacket" and "M1ce." Further investigation using the username CPacket on the open-source intelligence platform OSINT Industries revealed a GitHub account linked to both Dort and CPacket, created in 2017 and associated with the email address [email protected]. This email address has been a crucial thread in unraveling Dort’s digital footprint.

The cyber intelligence firm Intel 471 has linked the email address [email protected] to the creation of multiple accounts on various cybercrime forums between 2015 and 2019. These include accounts on Nulled under the username "Uubuntuu" and on Cracked as user "Dorted." Notably, Intel 471 reports that both of these forum accounts were registered from the same Canadian IP address belonging to Rogers Canada (99.241.112.24), indicating a consistent geographical origin for these online activities.

Dort’s early notoriety stemmed from the Microsoft game Minecraft. The individual was an exceptionally active player, gaining a reputation for developing and distributing "Dortware," a software suite designed to assist players in cheating. This early foray into manipulating game mechanics appears to have been a stepping stone, as Dort later transitioned from exploiting gaming environments to facilitating more serious criminal enterprises.

Under the moniker "DortDev," this identity was active in March 2022 on the chat server of the notorious cybercrime group LAPSUS$. During this period, Dort offered services for the creation of temporary email addresses and the sale of "Dortsolver," a tool capable of bypassing various CAPTCHA services used to prevent automated account abuse. These illicit offerings were advertised in 2022 on SIM Land, a Telegram channel dedicated to SIM-swapping and account takeover activities.

The cyber intelligence firm Flashpoint has indexed posts from 2022 on SIM Land attributed to Dort. These posts indicate that the disposable email and CAPTCHA bypass services were developed in collaboration with another hacker known as "Qoft." Qoft, in a 2022 conversation, explicitly referred to Dort as "Jacob," stating, "I legit just work with Jacob." In the same discussion, Qoft boasted about their joint success in stealing over $250,000 worth of Microsoft Xbox Game Pass accounts by exploiting a program that mass-generated Game Pass identities using compromised payment card data.

The identity of "Jacob" referenced by Qoft has been further illuminated by the breach tracking service Constella Intelligence. Constella discovered that the password used for [email protected] was reused with only one other email address: [email protected]. This finding aligns with the 2020 doxing information that placed Dort’s birthdate as August 2003 (8/03).

Who is the Kimwolf Botmaster “Dort”?

A domain registration search on DomainTools.com for [email protected] reveals its use in 2015 to register several Minecraft-themed domains. These registrations were consistently associated with a Jacob Butler from Ottawa, Canada, and a local phone number: 613-909-9727.

Constella Intelligence further reports that [email protected] was used to create an account on the hacker forum Nulled in 2016. Additionally, the same email address was used to register the Minecraft account name "M1CE." A pivot based on the password used for the Nulled account shows it was shared across the email addresses [email protected] and [email protected]. The latter address is significant as it belongs to a domain associated with the Ottawa-Carleton District School Board, suggesting a connection to Dort’s educational background.

Data compiled by the breach tracking service Spycloud indicates that at one point, Jacob Butler shared a computer with his mother and a sibling. This familial connection might explain why their email accounts were linked to the password "jacobsplugs." Neither Jacob Butler nor any other members of the Butler household responded to requests for comment regarding these findings.

The open-source intelligence service Epieos has identified that [email protected] created the GitHub account "MemeClient." Concurrently, Flashpoint indexed a deleted anonymous Pastebin.com post from 2017 that attributed the creation of MemeClient to a user named CPacket, one of Dort’s earlier aliases. This chain of evidence strongly suggests a continuity of identity and activity.

The escalating hostility from Dort appears to be a direct response to the KrebsOnSecurity article published on January 2, 2026, titled "The Kimwolf Botnet is Stalking Your Local Network." This article detailed research by Benjamin Brundage, founder of the proxy tracking service Synthient, which uncovered how Kimwolf botmasters exploited a subtle vulnerability in residential proxy services. This weakness allowed them to infect poorly secured devices, such as TV boxes and digital photo frames, connected to the internal networks of proxy endpoints.

By the time the article was published, Brundage had already notified most of the vulnerable proxy providers, who subsequently patched the security flaws. This remediation significantly hampered Kimwolf’s ability to propagate. Within hours of the article’s release, Dort retaliated by creating a Discord server impersonating KrebsOnSecurity, which then began publishing personal information and issuing violent threats against Brundage, KrebsOnSecurity, and others involved.

In the week preceding this report, Dort and associates utilized the same Discord server, then named "Krebs’s Koinbase Kallers," to orchestrate a swatting threat against Brundage. They again disseminated his home address and personal details. Brundage confirmed to KrebsOnSecurity that local law enforcement officers visited his residence in response to a swatting hoax that coincided with another server member posting a door emoji and taunting Brundage.

Who is the Kimwolf Botmaster “Dort”?

Adding to the aggressive rhetoric, someone on the server linked to a SoundCloud diss track uploaded by DortDev. The track, described as cringeworthy and NSFW, included a pinned message from Dort threatening: "Ur dead nigga. u better watch ur fucking back. sleep with one eye open. bitch." The lyrics of the song further amplified the threats, with lines like, "It’s a pretty hefty penny for a new front door. If his head doesn’t get blown off by SWAT officers. What’s it like not having a front door?"

Update, 10:29 a.m.: Jacob Butler eventually responded to requests for comment, speaking briefly with KrebsOnSecurity via telephone. Butler stated that he had not noticed earlier requests for comment because he had largely been offline since 2021, following multiple swatting incidents at his home. He admitted to developing and distributing a Minecraft cheat program in the past but asserted he had not played the game in years and denied any involvement in Dortsolver or other activities associated with the Dort alias after 2021.

"It was a really old cheat and I don’t remember the name of it," Butler said of his Minecraft modification. "I’m very stressed, man. I don’t know if people are going to swat me again or what. After that, I pretty much walked away from everything, logged off and said fuck that. I don’t go online anymore. I don’t know why people would still be going after me, to be completely honest."

When asked about his current occupation, Butler stated he primarily stays at home and assists his mother, citing struggles with autism and social interaction. He maintained that someone must have compromised one or more of his old accounts and is impersonating him online as Dort. "Someone is actually probably impersonating me, and now I’m really worried," Butler said. "This is making me relive everything."

However, Butler’s timeline presents inconsistencies. The voice captured in the phone conversation with KrebsOnSecurity bore a striking resemblance to the voice of "Jacob/Dort" heard in a September 2022 YouTube recording of a Clash of Code competition between Dort and another coder. In that recording, around the six-minute mark, Dort unleashes a profanity-laden tirade that echoes the language used in the diss rap threatening Brundage. Dort’s voice is audible again around the sixteen-minute mark, and at approximately 26:00, Dort threatens to swat his opponent.

Butler countered that the voice in the recording was not his, but rather that of an impersonator who had likely cloned his voice. "I would like to clarify that was absolutely not me," Butler stated. "There must be someone using a voice changer. Or something of the sorts. Because people were cloning my voice before and sending audio clips of ‘me’ saying outrageous stuff." Despite Butler’s claims of impersonation and a withdrawal from online activities, the persistent digital trail and the similarity in voice patterns suggest a complex and ongoing narrative surrounding the identity of Dort.