Oregon Man Charged in Major Botnet Operation: The Case of RapperBot
A 22-year-old from Eugene, Oregon, is at the center of a significant cybercrime case, having been charged with running a notorious distributed denial-of-service (DDoS) botnet known as RapperBot. According to the U.S. Department of Justice (DoJ), Ethan Foltz has been linked to the development and management of this botnet, which has orchestrated DDoS attacks across more than 80 countries since 2021.
The Nature of the Charges
Foltz faces a severe charge of aiding and abetting computer intrusions, which could lead to a maximum prison sentence of ten years if he is convicted. The seriousness of these allegations was underscored by a law enforcement raid on his home in early August 2025, during which they seized control of the botnet’s infrastructure.
Understanding RapperBot
RapperBot—also referred to as the "Eleven Eleven Botnet" and "CowBot"—is engineered to exploit everyday devices like Digital Video Recorders (DVRs) and Wi-Fi routers. This botnet infects these devices with specific malware, allowing clients to send commands that generate substantial volumes of traffic directed at various victim computers and servers globally. The scale and efficiency with which RapperBot operates highlight its alarming capability to execute coordinated attacks on a massive scale.
Technical Insights: How It Works
RapperBot’s modus operandi draws inspiration from earlier botnets like fBot (Satori) and Mirai. It employs brute-force techniques to infiltrate target devices, gaining unauthorized access via protocols such as SSH or Telnet. Once compromised, these devices become part of an expansive malicious network, equipped to launch formidable DDoS assaults. Initial documentation of RapperBot surfaced in August 2022, but its activities reportedly date back to campaigns traced to May 2021.
In a noteworthy shift, a 2023 report from Fortinet revealed that the botnet had also ventured into cryptojacking, using the processing power of compromised devices to mine Monero and enhance its financial gains. Earlier this year, RapperBot was implicated in targeted DDoS attacks against companies like DeepSeek and X, further solidifying its reputation in the cybercrime arena.
Monetizing Cyberattacks
Foltz and his collaborators are accused of capitalizing on RapperBot’s capabilities by offering services to customers seeking to execute DDoS attacks. Between April 2025 and early August, the botnet reportedly carried out over 370,000 attacks on approximately 18,000 unique victims across various regions, including China, Japan, the United States, Ireland, and Hong Kong. This alarming statistic underscores the broad impact and scope of Foltz’s operations.
Scale of the Attacks
It is estimated that the botnet leveraged between 65,000 to 95,000 compromised devices to mount DDoS attacks that could reach stifling bandwidths of two to three Terabits per second (Tbps). Some estimates suggest that the largest attack executed by RapperBot may have surpassed 6 Tbps, showcasing the botnet’s capacity to inflict significant damage.
Additionally, authorities believe that some of the botnet’s operations included ransom DDoS attacks aimed at extorting victims, further complicating the legal and ethical implications surrounding Foltz’s activities.
The Investigation and International Efforts
Investigations leading to Foltz’s arrest traced multiple connections to his online activities, including usage of services such as PayPal and Gmail, as well as patterns of online searches related to "RapperBot." These insights contributed to mounting a compelling case against him.
The dismantling of RapperBot forms part of Operation PowerOFF, an ongoing initiative targeting the infrastructure of DDoS-for-hire services on a global scale. This operation reflects a concerted effort among international law enforcement agencies to combat cybercrime and the threats posed by botnets.
As the legal proceedings progress, this case serves as a stark reminder of the vulnerabilities inherent in our digital landscape and the potential consequences of cybercriminal activities.
