In early January 2026, a single vulnerability disclosure set off a chain of digital retaliation unlike anything seen in recent years — not because of the exploit itself, but because of who it unmasked. The person at the center: a hacker who goes by the handle Dort, the alleged orchestrator of Kimwolf, the world’s largest and most disruptive botnet. Since the disclosure, Dort has launched a sustained campaign of DDoS attacks, doxing, email flooding, and even a SWATting incident targeting the researcher who exposed the flaw — and Brian Krebs, the journalist who reported it. This isn’t just a story about malware or infrastructure. It’s about a teenage cybercriminal who evolved from cheating in Minecraft to commanding a global botnet — and who may now be using it to settle personal scores.
Key Takeaways
- Dort, the suspected mastermind behind the Kimwolf botnet, has been tied to a series of retaliatory cyberattacks in January 2026 against a security researcher and journalist Brian Krebs.
- Public doxing from 2020 identifies Dort as a Canadian teenager born in August 2003, using aliases including CPacket and M1ce.
- The email jay.miner232@gmail.com connects multiple accounts across GitHub, cybercrime forums, and Minecraft cheating tools — all under Dort’s known handles.
- Dort collaborated with another hacker, Qoft, to steal over $250,000 in Xbox Game Pass accounts using stolen payment data and automated account creation tools.
- Constella Intelligence links jay.miner232@gmail.com to jacobbutler803@gmail.com via a shared password, suggesting Dort and Qoft’s business partner Jacob may be the same individual.
Dort’s Digital Footprint Begins in Minecraft
It’s not unusual for young hackers to start in online games. What’s striking is how directly Dort’s path led from cheating software to large-scale cybercrime. Around the mid-2010s, Dort gained notoriety in the Minecraft community for creating “Dortware” — a tool that gave players unfair advantages, from aim assistance to visibility hacks. The software circulated widely in private servers and forums, earning Dort a reputation as a skilled but controversial coder.
But Dortware wasn’t just a cheat. It was an early demonstration of automation, remote control, and client-side manipulation — skills that translate directly into botnet development. By 2017, the same person had established a GitHub account under the names Dort and CPacket, using the email jay.miner232@gmail.com. That account, still visible on the open-source intelligence platform OSINT Industries, shows a progression from simple scripts to more complex network tools.
From Game Hacks to Cybercrime Infrastructure
The leap from game cheating to cybercrime wasn’t abrupt. It was incremental — and well-documented. By 2022, Dort had adopted the alias DortDev and was active on the chat server for LAPSUS$, the prolific cybercrime group known for high-profile breaches at Microsoft, NVIDIA, and Okta. Dort wasn’t just lurking. They were selling services.
On SIM Land, a Telegram channel dedicated to SIM-swapping and account takeover operations, Dort advertised two key tools: a service for generating temporary email addresses and a program called Dortsolver, designed to bypass CAPTCHA systems. These aren’t fringe tools. They’re foundational to large-scale fraud. Disposable emails let attackers create thousands of fake accounts. CAPTCHA bypasses automate the process. Together, they enable everything from spam campaigns to credential stuffing at industrial scale.
Flashpoint, the cyber intelligence firm, indexed over 20 posts from Dort on SIM Land in 2022. In these, Dort detailed the technical specs of Dortsolver, boasted about uptime, and even offered customer support. This wasn’t a hobbyist. This was a business.
Partnership with Qoft: A Profitable Cybercrime Duo
Dort didn’t operate alone. Their most significant collaboration was with a hacker known as Qoft. In a 2022 conversation on SIM Land, Qoft stated plainly: “I legit just work with Jacob,” referring to their exclusive business partner. That name — Jacob — stood out. But who was he?
The answer may lie in password reuse. The breach tracking service Constella Intelligence found that the password used for jay.miner232@gmail.com was identical to the one used for another address: jacobbutler803@gmail.com. No other accounts shared that password. That’s not a statistical fluke. It’s a digital fingerprint.
The implication is clear: Dort and Jacob are likely the same person. Or at the very least, they share credentials, trust, and operational control. And together, they weren’t just building tools. They were monetizing them.
A $250,000 Theft Spree Using Automated Fraud
Qoft bragged in the same 2022 thread that the two had stolen more than $250,000 worth of Microsoft Xbox Game Pass accounts. Their method? A program that mass-created Game Pass identities using stolen payment card data. The automation relied on the very tools Dort was selling: disposable emails to register accounts, Dortsolver to bypass Microsoft’s CAPTCHA checks, and likely SIM-swapping techniques facilitated through SIM Land connections.
This wasn’t a one-off hack. It was a repeatable, scalable fraud engine. And it reveals how low-level cybercrime tools feed into larger supply chains. Microsoft didn’t report the breach. Game Pass subscribers likely didn’t notice. But the infrastructure was there — and it worked.
The Kimwolf Botnet: From Tool to Weapon
Kimwolf didn’t appear out of nowhere. It was the culmination of years of technical development, underground networking, and monetization. The botnet emerged in late 2025, but its scale became undeniable in January 2026, when it was used to launch massive DDoS attacks following a vulnerability disclosure by a security researcher.
The flaw — disclosed in early January — allowed attackers to hijack devices and enroll them in botnets without authentication. Dort allegedly used that vulnerability to expand Kimwolf’s reach before it was patched. When the researcher went public, Dort retaliated.
The attacks weren’t just technical. They were personal. DDoS floods took down the researcher’s website. Doxing campaigns exposed private information. Email inboxes were flooded. Then came the SWATting incident — a false emergency call that led a tactical police unit to raid the researcher’s home on April 12, 2026.
That escalation marks a shift. It’s one thing to launch a DDoS attack. It’s another to weaponize law enforcement. This isn’t just cybercrime. It’s cyber vengeance.
Tracing the Trail: IPs, Emails, and Aliases
Digital forensics rarely delivers smoking guns. But in Dort’s case, the trail is unusually dense. Intel 471, the cyber intelligence firm, traced the email jay.miner232@gmail.com to accounts on Nulled (as “Uubuntuu”) and Cracked (as “Dorted”) between 2015 and 2019. Both were created from the same IP address: 99.241.112.24, registered to Rogers Communications in Canada.
That IP doesn’t prove identity. But it’s a strong geographic anchor. Combined with the 2020 dox that identified Dort as a Canadian teen born in August 2003, the evidence points to a single individual operating across at least a decade of online activity — from Minecraft cheats to CAPTCHA solvers to botnet command-and-control.
And the persistence of the jay.miner232@gmail.com address across platforms — GitHub, cybercrime forums, malware repositories — suggests either extreme carelessness or a belief that the alias is untouchable.
- 2015–2019: jay.miner232@gmail.com used to create accounts on Nulled and Cracked from Rogers Canada IP 99.241.112.24
- 2017: GitHub account created under Dort and CPacket using same email
- 2020: Public dox identifies Dort as Canadian teen, born August 2003, aliases CPacket and M1ce
- 2022: Active on SIM Land as DortDev, selling disposable email and CAPTCHA bypass tools
- January 2026: Kimwolf botnet used in retaliation after vulnerability disclosure
- April 12, 2026: SWATting incident against security researcher linked to Dort’s campaign
What This Means For You
If you’re building web services, this story should scare you. Dort’s tools — disposable emails, CAPTCHA bypasses, automated account creation — are the foundation of modern platform abuse. They’re not exotic. They’re accessible. And they’re effective. If your authentication system relies solely on email verification or basic CAPTCHA, it’s already vulnerable.
Developers need to assume that any barrier they build will be automated, bypassed, or sold on Telegram. The era of simple defenses is over. That means implementing device fingerprinting, behavioral analysis, rate limiting, and multi-layered verification — especially for high-value accounts.
For security researchers, the message is darker. Reporting flaws can trigger not just corporate pushback, but violent retaliation from cybercriminals who see you as a personal threat. The line between digital and physical security has blurred. If you’re disclosing vulnerabilities, you need threat modeling, legal support, and, yes, emergency response plans.
The Real Danger Isn’t the Botnet — It’s the Mind Behind It
The most unsettling part of this story isn’t the scale of Kimwolf. It’s the trajectory of Dort. A teenager, possibly still under 23, who started in Minecraft and now commands a global botnet capable of doxing, DDoS, and SWATting. That progression isn’t rare. It’s becoming normalized.
What happens when someone with this level of technical skill and zero accountability decides to target critical infrastructure? Or election systems? Or healthcare networks? The tools are already there. The motivation might just be a grudge.
We’ve treated young hackers as pranksters for too long. But Dort isn’t playing. They’re building. And they’re winning.
How do we stop a cybercriminal who doesn’t fear exposure — because they’ve never hidden in the first place?
Sources: Krebs on Security, original report
