The U.S. Department of Justice has filed charges against 22-year-old Ethan Foltz from Eugene, Oregon, identified as the alleged creator and operator of the botnet known as "RapperBot," a network of compromised devices used to launch for-hire DDoS attacks.
According to authorities, Foltz allegedly rented out this botnet to other cybercriminals, who used it to target multiple organizations.
The malicious network was dismantled on August 6 during a raid at his home, as part of Operation PowerOff—a coordinated effort to take down cyberattack services available on the dark web.
RapperBot: A Mirai-Based Botnet That Infected Thousands of Devices Worldwide
The malware botnet known as RapperBot, also referred to as "Eleven Eleven" and "CowBot," has been active since at least 2021. This threat, based on Mirai code, managed to infect tens of thousands of vulnerable DVRs (digital video recorders) and routers around the globe.
With an estimated attack capacity between 2 and 6 Tbps (terabits per second), RapperBot was a powerful tool in the cybercriminal arsenal.
According to the U.S. Department of Justice, this botnet was used to target more than 18,000 victims in at least 80 countries, including U.S. government agencies, media platforms, video game companies, and major tech firms.
And as if that weren’t enough, in 2023 RapperBot evolved even further: it incorporated a cryptomining module, allowing it to generate extra illicit profits by exploiting the resources of compromised devices to mine cryptocurrency.
RapperBot Execution Flow
RapperBot Botnet Launched 370,000 DDoS Attacks Using Devices in 39 Countries
Amazon Web Services (AWS) played a key role in the RapperBot investigation, working with U.S. authorities to track its command and control infrastructure and provide actionable intelligence.
According to AWS data, since April 2025 alone, RapperBot was responsible for over 370,000 DDoS attacks. These attacks varied in intensity, reaching speeds of several terabits per second and generating over one billion packets per second (pps). All this power came from a network of more than 45,000 infected devices across at least 39 countries.
Although many of these attacks lasted only seconds, their effects were devastating. The Department of Justice (DOJ) explained that a 30-second attack with a power of over 2 Tbps could cause losses ranging from $500 to $10,000 for the victims. In many cases, these attacks were accompanied by extortion threats: RapperBot operators demanded payments in exchange for halting the offensives.
The complaint also notes that some of the “clients” who rented the botnet used this digital extortion strategy as an illicit business model.
As for the suspect, Ethan Foltz was formally charged with aiding and abetting computer intrusions. If convicted, he could face up to 10 years in prison. However, for now, Foltz is not in custody. He was summoned to court following the official filing of charges and remains free as the legal process moves forward.
On the technical side, since authorities seized RapperBot’s infrastructure on August 6, 2025, no new malicious activity linked to the botnet has been detected. All signs indicate that there are no backup C2 servers in the hands of other operators, suggesting the network has been fully dismantled.
Read more: PipeMagic: The Trojan Exploiting Windows Flaws to Deploy Ransomware
What’s Next in the Fight Against Cybercrime?
The RapperBot case delivers a clear message: even though cybercriminals operate from the shadows, international collaboration among security agencies, tech companies, and governments can truly make a difference.
However, it also exposes several urgent areas where much work remains if we hope to prevent future large-scale attacks. These include:
-
Stricter regulation for IoT devices, which are still hitting the market with basic vulnerabilities.
-
User education and awareness, since a weak password or poor practice often opens the door to an attack.
-
Increased investment in detection and monitoring technologies, enabling real-time threat identification before major damage occurs.
RapperBot won’t be the last case. But with coordinated actions and smart decisions, we can be much better prepared for the next one.