A public "dox" that surfaced in 2020 claimed Dort was a teenager residing in Canada, born in August 2003, and operated under the aliases "CPacket" and "M1ce." Investigations utilizing the open-source intelligence platform OSINT Industries, searching the username CPacket, unearthed a GitHub account linked to both Dort and CPacket. This account, created in 2017, was associated with the email address [email protected].

The cyber intelligence firm Intel 471 has provided further insights, indicating that the email address [email protected] was active between 2015 and 2019. During this period, it was used to establish accounts on various cybercrime forums, including Nulled, where the username was "Uubuntuu," and Cracked, where the user was identified as "Dorted." Intel 471’s research also notes that both of these forum accounts were registered from the same Canadian IP address belonging to Rogers Canada (99.241.112.24), suggesting a consistent geographical origin for Dort’s online activities during those years.

Dort’s online presence initially gained traction within the Microsoft gaming community, specifically through the popular game Minecraft. They achieved a degree of notoriety for developing and distributing "Dortware," a suite of software designed to facilitate cheating for Minecraft players. This early foray into exploiting game mechanics marked a significant step, as Dort would later transition from manipulating virtual environments to enabling far more serious criminal enterprises. The skills honed in the gaming world appear to have provided a foundation for more sophisticated cybercriminal operations.

Further investigation reveals that Dort also operated under the moniker "DortDev." This identity was active in March 2022 on the chat server of LAPSUS$, a notorious cybercrime group. In this capacity, Dort offered services for the creation of temporary email addresses and advertised "Dortsolver," a tool engineered to circumvent CAPTCHA services, which are typically implemented to prevent automated account abuse. Both of these illicit offerings were promoted in 2022 on SIM Land, a Telegram channel specifically dedicated to SIM-swapping and account takeover activities.

The cyber intelligence firm Flashpoint has documented Dort’s posts on SIM Land from 2022. These records indicate that Dort developed the disposable email and CAPTCHA bypass services in collaboration with another hacker who used the handle "Qoft." In a 2022 conversation, Qoft explicitly referred to Dort as "Jacob," their exclusive business partner, stating, "I legit just work with Jacob." In the same discussion, Qoft boasted about their joint success in illicitly acquiring over $250,000 worth of Microsoft Xbox Game Pass accounts. This was achieved by developing a program that could mass-generate Game Pass identities by leveraging stolen payment card data.

The identity of "Jacob," whom Qoft identified as their business partner, has been a key focus of the investigation. The breach tracking service Constella Intelligence discovered that the password associated with [email protected] was reused by only one other email address: [email protected]. This finding aligns with the information from the 2020 doxing incident, which stated Dort’s date of birth as August 2003 (8/03).

A deep dive into [email protected] using DomainTools.com revealed its use in 2015 to register several Minecraft-themed domains. These registrations were all associated with a Jacob Butler in Ottawa, Canada, and linked to the local phone number 613-909-9727. This geographical and personal connection provides a strong link between the alias "Dort" and a specific individual.

Further analysis by Constella Intelligence indicates that [email protected] was also used to create an account on the hacker forum Nulled in 2016. Additionally, it was used to establish the account name "M1CE" on Minecraft, corroborating the alias mentioned in the 2020 doxing. A pivot off the password used for the Nulled account revealed it was shared across multiple email addresses: [email protected] and [email protected]. The latter is an email address associated with a domain belonging to the Ottawa-Carleton District School Board, suggesting a potential connection to Dort’s educational background or a past affiliation with the school system.

Data compiled by the breach tracking service Spycloud suggests that at one point, Jacob Butler may have shared a computer with his mother and a sibling. This could potentially explain why their email accounts were linked to the password "jacobsplugs." Efforts to obtain comments from Jacob Butler or any other Butler household members regarding these findings were unsuccessful.

The open-source intelligence service Epieos has identified that [email protected] created the GitHub account "MemeClient." Concurrently, Flashpoint has indexed a now-deleted anonymous Pastebin.com post from 2017. This post declared that MemeClient was the creation of a user named CPacket, one of Dort’s earliest known online monikers. This further solidifies the connection between these distinct online identities.

The intense retaliatory actions by Dort stem from a KrebsOnSecurity article published on January 2, 2026, titled "The Kimwolf Botnet is Stalking Your Local Network." This article detailed research conducted by Benjamin Brundage, the founder of the proxy tracking service Synthient. Brundage’s investigation uncovered how the operators of the Kimwolf botnet were exploiting a little-known vulnerability in residential proxy services. This weakness allowed them to infect poorly secured devices, such as TV boxes and digital photo frames, that were connected to the internal, private networks of proxy endpoints.

By the time this exposé went live, Brundage had already notified most of the vulnerable proxy providers, who subsequently patched the identified weaknesses. This remediation effort significantly hampered Kimwolf’s ability to propagate. Within hours of the article’s publication, Dort established a Discord server under this author’s name, which then began disseminating personal information and issuing violent threats against Brundage, KrebsOnSecurity, and other individuals.

In a subsequent development last week, Dort and associates utilized the same Discord server, then ominously named "Krebs’s Koinbase Kallers," to threaten a swatting attack against Benjamin Brundage. This threat again involved the public posting of his home address and other personal details. Brundage confirmed to KrebsOnSecurity that local law enforcement officers subsequently visited his residence in response to a swatting hoax. This incident occurred around the same time another member of the server posted an image of a door emoji and further taunted Brundage.

Adding to the escalation, someone on the server linked to a SoundCloud diss track recorded by DortDev. The track, described as "cringeworthy (and NSFW)," featured a pinned message from Dort stating, "Ur dead nigga. u better watch ur fucking back. sleep with one eye open. bitch." The lyrics of the diss track further amplified the threats, with lines like, "It’s a pretty hefty penny for a new front door. If his head doesn’t get blown off by SWAT officers. What’s it like not having a front door?"

With the ongoing investigation and the clear pattern of aggressive, retaliatory behavior, there is a strong likelihood that Dort will soon face the consequences of their actions, potentially allowing for a direct understanding of what it is like to be on the receiving end of such threats.

Update, 10:29 a.m.: Jacob Butler eventually responded to requests for comment, speaking briefly with KrebsOnSecurity via telephone. Butler stated that he had not noticed earlier requests for comment because he has largely been offline since 2021, following multiple swatting incidents at his home. He acknowledged creating and distributing a Minecraft cheat tool in the past, but asserted that he had not played the game in years and denied any involvement in Dortsolver or other activities attributed to the Dort nickname after 2021.

"It was a really old cheat and I don’t remember the name of it," Butler said of his Minecraft modification. "I’m very stressed, man. I don’t know if people are going to swat me again or what. After that, I pretty much walked away from everything, logged off and said fuck that. I don’t go online anymore. I don’t know why people would still be going after me, to be completely honest."

When questioned about his current occupation, Butler stated that he primarily stays at home and assists his mother, attributing this to his struggles with autism and social interaction. He maintained that someone must have compromised one or more of his old accounts and is impersonating him online as Dort. "Someone is actually probably impersonating me, and now I’m really worried," Butler said. "This is making me relive everything."

However, there are discrepancies in Butler’s timeline. For instance, the voice of Jacob in the phone conversation bore a striking resemblance to the Jacob/Dort heard in a September 2022 YouTube video documenting a Clash of Code competition between Dort and another coder, which Dort ultimately lost. Approximately six minutes and ten seconds into the recording, Dort unleashes a profanity-laced tirade that mirrors the stream of expletives in the diss rap posted by Dortdev threatening Brundage. Dort’s voice is audible again around the 16-minute mark, and at approximately 26:00, Dort threatens to swat his opponent.

Butler countered that the voice in the recording was not his own but rather that of an impersonator who had likely cloned his voice. "I would like to clarify that was absolutely not me," Butler stated. "There must be someone using a voice changer. Or something of the sorts. Because people were cloning my voice before and sending audio clips of ‘me’ saying outrageous stuff." This claim, while plausible, introduces further complexity to the ongoing investigation into Dort’s true identity and involvement.