In a significant move against cybercrime, the U.S. Department of Justice (DOJ) has announced the disruption of the RapperBot botnet and the indictment of its alleged administrator, Ethan Foltz, a 22-year-old resident of Eugene, Oregon. This botnet, also known by aliases such as Eleven Eleven Botnet and CowBot, exploited compromised Internet of Things (IoT) devices, primarily digital video recorders (DVRs) and Wi-Fi routers, to execute extensive distributed denial-of-service (DDoS) attacks across more than 80 countries.
Scope and Impact of RapperBot
According to the indictment, between April and August 2025, Foltz and his co-conspirators orchestrated over 370,000 DDoS attacks targeting approximately 18,000 unique victims. Notably, the botnet’s targets included a U.S. government network, several American technology firms, and a prominent social media platform. The scale of these attacks was formidable, with the botnet leveraging between 65,000 and 95,000 infected devices to generate traffic volumes of 2 to 3 terabits per second (Tbps). One of the most severe attacks reportedly peaked at 6 Tbps, underscoring the botnet’s capacity to inflict significant disruption.
Technical Evolution and Persistence
RapperBot first came to the attention of cybersecurity experts in 2022 when FortiGuard Labs identified it as a variant of the Mirai botnet. Unlike its predecessor, RapperBot exhibited enhanced capabilities, including credential brute-forcing, targeting of Secure Shell (SSH) servers, and mechanisms to maintain persistence on compromised devices. These features made it particularly resilient and effective in executing prolonged and repeated attacks.
Law Enforcement Intervention
The DOJ’s disruption of RapperBot occurred in early August 2025, following the execution of a search warrant at Foltz’s residence in Oregon. This operation granted law enforcement agencies administrative control over the botnet, effectively neutralizing its threat. Foltz has been charged with aiding and abetting computer intrusions, a charge that carries a potential sentence of up to 10 years in prison if convicted.
Statements from Authorities
U.S. Attorney Michael J. Heyman for the District of Alaska emphasized the significance of this operation, stating, RapperBot was one of the most powerful DDoS botnets to ever exist, but the outstanding investigatory work by DCIS cyber agents and support of my office and industry partners has put an end to Foltz’s time as administrator and effectively disrupted the activities of this transnational criminal group.
Operation PowerOFF and Collaborative Efforts
The takedown of RapperBot was part of Operation PowerOFF, an international law enforcement initiative aimed at dismantling DDoS-for-hire services. This operation has previously led to the disruption of numerous such services, including DigitalStress, Stresser.tech, Neostress, and Webstresser. The success of these efforts highlights the importance of global collaboration in combating cyber threats that transcend national borders.
Broader Context of Botnet Disruptions
The dismantling of RapperBot is part of a broader trend of law enforcement agencies targeting large-scale botnets. For instance, in May 2024, the U.S. Justice Department announced the takedown of the 911 S5 proxy botnet, which had compromised millions of devices worldwide. Similarly, in May 2025, the DanaBot botnet was disrupted, leading to charges against 16 individuals. These actions reflect a concerted effort to address the growing threat posed by botnets in facilitating cyberattacks and other illicit activities.
Implications for Cybersecurity
The disruption of RapperBot underscores the evolving nature of cyber threats and the critical need for robust cybersecurity measures. Organizations are advised to implement comprehensive security protocols, including regular software updates, strong password policies, and network monitoring, to protect against such sophisticated attacks. Additionally, the incident highlights the importance of international cooperation in addressing cybercrime, as botnets often operate across multiple jurisdictions.
Conclusion
The DOJ’s successful takedown of the RapperBot botnet and the indictment of its alleged administrator represent a significant victory in the ongoing battle against cybercrime. This case serves as a reminder of the persistent threat posed by botnets and the necessity for continuous vigilance and collaboration among law enforcement agencies, cybersecurity professionals, and the broader community to safeguard digital infrastructure.
