RapperBot Botnet Dismantled, Administrator Charged in Global Cyberattack Takedown

The U.S. Department of Justice has charged a 22-year-old Oregon man, Ethan Foltz, for allegedly operating RapperBot, a sophisticated distributed denial-of-service (DDoS)-for-hire botnet. This botnet was responsible for over 370,000 attacks worldwide, targeting victims in more than 80 countries since 2021. Law enforcement successfully seized control of the botnet's infrastructure, effectively halting its operations as part of a broader international effort.

Key Takeaways

• Ethan Foltz, 22, of Eugene, Oregon, charged with operating the RapperBot botnet.

• RapperBot conducted over 370,000 DDoS attacks, impacting 18,000 unique victims globally.

• The botnet leveraged 65,000 to 95,000 infected IoT devices, launching attacks up to 6 Tbps.

• Foltz faces up to 10 years in prison if convicted.

• The takedown is part of Operation PowerOFF, targeting DDoS-for-hire services.

The Rise and Fall of RapperBot

RapperBot, also known as "Eleven Eleven Botnet" and "CowBot," is a powerful botnet that primarily compromises Internet of Things (IoT) devices such as Digital Video Recorders (DVRs) and Wi-Fi routers. It achieves this by infecting these devices with specialized malware, turning them into a network of "zombie" machines. Clients of RapperBot then command these compromised devices to flood target computers and servers with massive volumes of traffic, causing denial-of-service.

Inspired by earlier botnets like Mirai and fBot (Satori), RapperBot utilizes brute-force attacks via SSH or Telnet to gain access to devices. Beyond launching DDoS attacks, the botnet was also reportedly used for cryptojacking, exploiting the compromised devices' computing resources to mine Monero cryptocurrency.

Global Impact and Monetization

From April 2025 to early August 2025, RapperBot was implicated in over 370,000 attacks targeting approximately 18,000 unique victims across countries including China, Japan, the United States, Ireland, and Hong Kong. The attacks often reached speeds of 2 to 3 Terabits per second (Tbps), with some exceeding 6 Tbps, causing significant disruptions. Prosecutors allege that Foltz and his co-conspirators monetized the botnet by providing paying customers access, with some attacks potentially being ransom-based, aiming to extort victims.

Tracing the Botmaster

Investigators identified Foltz by tracing IP address links from RapperBot's command-and-control infrastructure to online services he used, including PayPal and Gmail. Further evidence included over 100 Google searches for "RapperBot" or "Rapper Bot" by Foltz. On August 6, 2025, law enforcement executed a search warrant at Foltz's residence, seizing administrative control of the botnet. Foltz has been charged with one count of aiding and abetting computer intrusions, facing a maximum penalty of 10 years in prison.

Operation PowerOFF

The disruption of RapperBot is a significant achievement within Operation PowerOFF, an ongoing international initiative dedicated to dismantling criminal DDoS-for-hire infrastructures worldwide. Collaboration with major technology companies, including Amazon Web Services, Google, and PayPal, was crucial in identifying and mapping RapperBot's operations and infrastructure.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• DOJ Charges 22-Year-Old for Running RapperBot Botnet Behind 370,000 DDoS Attacks, The Hacker News.

• ⚖️ DOJ announces takedown of RapperBot botnet responsible for over 370,000 cyberattacks, Regtechtimes.

• DOJ Shuts Down Rapper Bot Botnet After Global DDoS Attacks in 80 Countries, sqmagazine.co.uk.

• Oregon Man Charged in ‘Rapper Bot’ DDoS Service – Krebs on Security, Krebs on Security.

• Feds charge alleged administrator of ‘sophisticated’ Rapper Bot botnet, The Record from Recorded Future News.