19.08.2025
2 min
508
The US has charged 22-year-old Oregon resident Ethan Foltz, who is believed to be the administrator of the RapperBot botnet, which carried out more than 370,000 DDoS attacks in more than 80 countries.
The US Department of Justice said that Ethan Foltz of Eugene developed and operated the DDoS-for-hire service RapperBot, also known as the Eleven Eleven Botnet and CowBot. The botnet infected DVR devices and Wi-Fi routers via SSH and Telnet brute force, after which the compromised devices were used for large-scale attacks. According to the investigation, RapperBot has been involved in more than 370,000 attacks since 2021, targeting 18,000 unique targets in the US, China, Japan, Ireland and Hong Kong. The attack power reached 2–3 Tbps, and the largest could exceed 6 Tbps. In addition to DDoS, RapperBot was used for cryptojacking and extortion attacks. The investigation found traces of Foltz’s activity in PayPal, Gmail, and his ISP, as well as numerous search queries for RapperBot. On August 6, 2025, his home was searched and the botnet infrastructure was shut down as part of the international Operation PowerOFF.
RapperBot was first described by Fortinet analysts in 2022, although the first campaigns were recorded as early as May 2021. The botnet turned out to be a derivative of Mirai and Satori and had the ability to expand rapidly. In 2023, researchers recorded the use of infected devices for mining Monero, and later for attacks on major platforms, including DeepSeek and X. Prosecutors say Foltz and his accomplices sold access to the botnet to clients who could launch attacks for money.
While Ethan Foltz faces up to 10 years in prison, the case has a broader message — even young cybercriminals who try to monetize botnets as “services” are becoming targets of international operations. The incident highlights the global danger of DDoS-for-hire and the importance of international cooperation in combating botnet infrastructure.
