The U.S. Department of Justice (DoJ) has charged 22-year-old Ethan Foltz from Eugene, Oregon, for allegedly developing and managing a distributed denial-of-service (DDoS)-for-hire botnet known as RapperBot. This botnet has been implicated in large-scale DDoS attacks affecting victims across more than 80 countries since at least 2021.
Foltz faces one count of aiding and abetting computer intrusions, which carries a maximum penalty of 10 years in prison. On August 6, 2025, law enforcement authorities executed a search warrant at Foltz’s residence, seizing control of the botnet’s infrastructure.
RapperBot, also referred to as Eleven Eleven Botnet and CowBot, primarily targets devices such as Digital Video Recorders (DVRs) and Wi-Fi routers. It infects these devices with specialized malware, enabling clients to command the compromised devices to generate massive volumes of DDoS traffic directed at various global targets.
Inspired by previous botnets like fBot (also known as Satori) and Mirai, RapperBot is notable for its capability to infiltrate devices through SSH or Telnet brute-force attacks, incorporating them into a network designed to execute DDoS attacks. Fortinet first documented RapperBot publicly in August 2022, with initial activities traced back to May 2021.
In 2023, Fortinet reported that RapperBot had expanded its operations to include cryptojacking, exploiting the processing power of compromised devices to mine Monero cryptocurrency illicitly. Earlier this year, the botnet was also linked to DDoS attacks targeting entities such as DeepSeek and X.
Foltz and his associates are accused of monetizing RapperBot by offering paying clients access to a potent DDoS botnet. Between April 2025 and early August, this botnet was used to execute over 370,000 attacks, affecting 18,000 unique victims in countries including China, Japan, the United States, Ireland, and Hong Kong.
Amazon Web Services (AWS) reported that RapperBot had infected more than 45,000 devices across 39 countries. AWS contributed to the investigation by identifying the botnet’s command-and-control infrastructure and reverse-engineering the IoT malware to map its operations.
Prosecutors allege that the botnet comprised approximately 65,000 to 95,000 infected devices, enabling DDoS attacks with volumes between two and three terabits per second (Tbps). The largest attack is believed to have exceeded 6 Tbps. Additionally, the botnet is suspected of conducting ransom DDoS attacks aimed at extorting victims.
The investigation linked the botnet to Foltz by tracing IP addresses associated with various online services he used, including PayPal, Gmail, and his internet service provider. Notably, Foltz reportedly conducted over 100 Google searches for terms like RapperBot or Rapper Bot.
The dismantling of RapperBot is part of Operation PowerOFF, an ongoing international initiative aimed at disrupting criminal DDoS-for-hire infrastructures worldwide.
