A 22-year-old man from the U.S. state of Oregon has been charged with allegedly growing and overseeing a distributed denial-of-service (DDoS)-for-hire botnet referred to as RapperBot.
Ethan Foltz of Eugene, Oregon, has been recognized because the administrator of the service, the U.S. Division of Justice (DoJ) stated. The botnet has been used to hold out large-scale DDoS-for-hire assaults focusing on victims in over 80 international locations since not less than 2021.
Foltz has been charged with one rely of aiding and abetting laptop intrusions. If convicted, he faces a most penalty of 10 years in jail. As well as, regulation enforcement authorities performed a search of Foltz’s residence on August 6, 2025, seizing administrative management of the botnet infrastructure.
“RapperBot, aka ‘Eleven Eleven Botnet’ and ‘CowBot,’ is a Botnet that primarily compromises units like Digital Video Recorders (DVRS) or Wi-Fi routers at scale by infecting these units with specialised malware,” the DoJ stated.
“Shoppers of RapperBot then difficulty instructions to these contaminated sufferer units, forcing them to ship massive volumes of ‘distributed denial-of-service’ (DDoS) visitors to completely different sufferer computer systems and servers positioned all through the world.”
Closely impressed by fBot (aka Satori) and Mirai botnets, RapperBot is identified for its skill to interrupt into goal units utilizing SSH or Telnet brute-force assaults and co-opt them right into a malicious community able to launching DDoS assaults. It was first publicly documented by Fortinet in August 2022, with early campaigns noticed way back to Might 2021.
A 2023 report from Fortinet detailed the DDoS botnet’s growth into cryptojacking, profiting off the compromised units’ compute sources to illicitly mine Monero and maximize worth. Earlier this 12 months, RapperBot was additionally implicated in DDoS assaults focusing on DeepSeek and X.
Foltz and his co-conspirators have been accused of monetizing RapperBot by offering paying clients entry to a robust DDoS botnet that has been used to conduct over 370,000 assaults, focusing on 18,000 distinctive victims throughout China, Japan, america, Eire, and Hong Kong from April 2025 to early August.
Amazon Net Companies (AWS), one of many many firms that supported the initiative, stated RapperBot contaminated greater than 45,000 units throughout 39 international locations and that it helped establish RapperBot’s command-and-control (C2) infrastructure and reverse engineer the IoT malware to map its operations and actions.
Prosecutors additionally allege that the botnet comprised roughly 65,000 to 95,000 contaminated sufferer units to tug off DDoS assaults that measured between two and three Terabits per second (Tbps), with the most important assault possible exceeding 6 Tbps. Moreover, the botnet is believed to have been used to hold out ransom DDoS assaults aiming to extort victims.
The investigation traced the botnet to Foltz after uncovering IP tackle hyperlinks to numerous on-line providers utilized by the defendant, together with PayPal, Gmail, and the web service supplier. Foltz can also be stated to have searched on Google for references to “RapperBot” or “Rapper Bot” over 100 occasions.
The disruption of RapperBot is a part of Operation PowerOFF, an ongoing worldwide effort that is designed to dismantle prison DDoS-for-hire infrastructures worldwide.
