DOJ charges 22-year-old Ethan Foltz of Oregon for running RapperBot, a DDoS botnet behind 370K+ attacks in 80+ countries since 2021.
The U.S. DOJ charged 22-year-old Ethan Foltz of Oregon for running the RapperBot botnet, used in over 370,000 DDoS-for-hire attacks since 2021. The criminal service is active in over 80 countries, RapperBot enabled large-scale disruptions. Foltz, identified as its administrator, allegedly developed and managed the service, impacting global victims.
RapperBot, also known as Eleven Eleven Botnet or CowBot, infects DVRs and routers to launch massive DDoS attacks worldwide on command.
“The criminal complaint explains that Rapper Bot was allegedly utilizing roughly 65,000 to 95,000 infected victim devices to regularly conduct DDoS attacks that commonly measured between two to three Terabits per second. It is alleged that Rapper Bot’s largest attack may have exceeded six Terabits per second. Investigators believe that at least five infected victim devices are in Alaska and were forced to participate in attacks.” reads the press release published by DoJ.
Court documents state that DDoS attacks, averaging 2 Tbps for 30 seconds, can cost victims $500–$10,000 due to lost revenue, response costs, and bandwidth use.
Researchers from FortiGuard Labs first discovered the RapperBot botnet in August 2022, but they speculate it had been active since 2021. The bot borrows a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it implements built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.
Threat actors used the RapperBot botnet to launch DDoS attacks against victims and extort them.
On August 6, 2025, law enforcement seized Rapper Bot and gained control of the infrastructure, halting attacks. Foltz faces one count of aiding computer intrusions, with up to 10 years in prison.
“Rapper Bot was one of the most powerful DDoS botnets to ever exist, but the outstanding investigatory work by DCIS cyber agents and support of my office and industry partners has put an end to Foltz’s time as administrator and effectively disrupted the activities of this transnational criminal group,” said U.S. Attorney Michael J. Heyman for the District of Alaska. “Our office remains committed to disrupting and dismantling cyber criminals that threaten internet security and infrastructure in the District of Alaska and across the United States.”
“Today’s announcement highlights the ongoing efforts by law enforcement to disrupt and dismantle emerging cyber threats targeting the Department of Defense and the defense industrial base,” said Special Agent in Charge Kenneth DeChellis of the Department of Defense Office of Inspector General, DCIS, Cyber Field Office. “The Rapper Bot malware was a clear threat, and the focused efforts of DCIS, our industry partners, and the federal prosecutors at the U.S. Attorney’s Office in Alaska, sends a clear signal to those who would harm the DoD’s personnel, infrastructure, and intellectual property, that their actions will come at a cost.”
Amazon Web Services (AWS) helped authorities dismantle the botnet. AWS aided the DOJ by mapping Rapper Bot’s C2 infrastructure and analyzing its IoT malware, helping halt attacks and improve overall internet security. Below are key findings shared by the company on LinkedIn:
- Conducted over 370,000 attacks since April 2025
- Attack sizes ranged from several terabits to over 1 billion packets-per-second
- Targeted organizations in 80+ countries
- Infected 45,000+ devices across 39 countries
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
