When Disclosure Turns Dangerous: The Escalation of 'Dort' and Kimwolf
Saw the latest from KrebsOnSecurity regarding the "Dort" situation, and it honestly sent a chill down my spine. We often discuss vulnerability disclosure as a technical process—find bug, report bug, get patch. But the retaliation against the researcher who helped dismantle Kimwolf highlights a disturbing trend: the convergence of cyberattacks and physical violence (swatting).
The article details how a vulnerability disclosure led to the assembly of the world's largest botnet, and subsequently, how the threat actor "Dort" pivoted to DDoS and doxing. This isn't just about bandwidth anymore; it's about personal safety.
From a defensive standpoint, if you are dealing with botnet traffic associated with Kimwolf, you might be seeing high-volume TCP floods. Here’s a quick mitigation strategy using iptables to help absorb some of the impact while you analyze the logs:
# Rate limiting SYN packets to mitigate SYN flood techniques often used by large botnets
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
However, the real issue here is the doxing vector. How many of us have our home addresses linked to domain WHOIS records or LinkedIn profiles? "Dort" proved that they will use OSINT to target researchers offline.
Do you think the industry needs to adopt stricter anonymity protocols for researchers, or is this just the cost of doing business in 2026? How are you guys scrubbing your digital footprint to prevent this kind of targeting?
This is exactly why I push for domain privacy to be standard, even for internal projects. The jump from DDoS to swatting changes the risk profile entirely. As an MSP owner, I'm advising my clients who handle vulnerability research to use PO boxes and LLC registrations for any public-facing work. You can't patch a physical door.
The iptables rules are a good start, but for a botnet the size of Kimwolf, you need to be scrubbing traffic upstream. I've been using the following KQL query in Sentinel to flag potential关联 IPs before they overwhelm the perimeter:
NetworkEvent
| where PacketCount > 1000
| summarize count() by SourceIP, DestinationPort
| where count_ > 5000
It's a scary time to be a white hat.
It's wild that we have to discuss physical safety in a cybersecurity forum, but here we are. I've started recommending researchers remove all geo-tagged metadata from their public GitHub repos and conference photos. It sounds paranoid, but if 'Dort' is willing to SWAT someone, they are certainly scraping EXIF data too.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access