Originally reported by Krebs on Security
TL;DR
The operator of Kimwolf botnet has escalated from digital harassment to physical threats against security researchers, including orchestrating a swatting incident. This represents a concerning evolution in how threat actors retaliate against vulnerability disclosure.
Active targeting of security researchers with physical threats including swatting represents a dangerous escalation in botmaster retaliation tactics. The involvement of the world's largest botnet in coordinated harassment campaigns poses significant risks to cybersecurity community.
The threat actor controlling Kimwolf botnet, operating under the handle "Dort," has significantly escalated retaliation efforts against security researchers following vulnerability disclosure that exposed the botnet's operations, according to KrebsOnSecurity reporting.
In January 2026, a security researcher disclosed a vulnerability that enabled the assembly of what has become the world's largest and most disruptive botnet. Since that disclosure, Dort has orchestrated increasingly aggressive attacks targeting both the original researcher and journalist Brian Krebs.
The campaign began with distributed denial-of-service (DDoS) attacks against the researcher's infrastructure, followed by systematic doxing operations aimed at exposing personal information. Email flooding attacks were subsequently deployed to disrupt communications.
Most concerning, the threat actor recently escalated to swatting - the practice of making false emergency reports to trigger armed law enforcement response at a target's residence. This represents a dangerous shift from digital harassment to actions with potential for physical harm.
KrebsOnSecurity's analysis examines publicly available information about Dort's identity and operational patterns. The investigation highlights the persistent challenges in attributing cybercriminal activities, particularly when threat actors employ sophisticated operational security measures.
The botmaster's willingness to engage in high-profile retaliation suggests either significant confidence in their anonymity or desperation following the exposure of their infrastructure. The escalation pattern - from property damage to personal safety threats - indicates a threat actor operating without typical constraints observed in profit-motivated cybercrime.
This case demonstrates the evolving risks faced by security researchers conducting vulnerability disclosure and botnet analysis. The progression from digital attacks to physical threats represents a concerning precedent that could deter future research into criminal infrastructure.
The targeting of both researchers and journalists covering cybersecurity issues suggests an intentional effort to create a chilling effect on botnet investigation and reporting. Security professionals should consider enhanced operational security measures when researching active criminal infrastructure.
Law enforcement coordination with affected parties continues as investigators work to identify Dort and disrupt Kimwolf operations. The botnet's massive scale and the operator's brazen retaliation tactics make this a priority case for international cybercrime units.
Originally reported by Krebs on Security