Federal authorities have charged Ethan Foltz, a 22-year-old from Eugene, Oregon, with allegedly developing and operating RapperBot, a powerful distributed denial-of-service (DDoS) botnet offered as a criminal service. This DDoS-for-hire operation, which infected devices like digital video recorders (DVRs) and Wi-Fi routers, has been used to conduct over 370,000 attacks since at least 2021, targeting victims in more than 80 countries. The U.S. Department of Justice (DoJ) and other law enforcement agencies successfully took down the botnet by seizing its command-and-control infrastructure during a search of Foltz’s residence on August 6, 2025. This action is a significant victory in the ongoing global fight against cybercrime.
A botnet is a network of internet-connected devices infected with malware that allows an attacker to control them remotely. These compromised devices, often referred to as “bots” or “zombies,” can then be used to perform malicious tasks without their owners’ knowledge. RapperBot, also known as “Eleven Eleven Botnet” and “CowBot,” was heavily inspired by well-known botnets like fBot (aka Satori) and Mirai. It worked by using brute-force attacks via SSH or Telnet to guess weak or default credentials, gaining access to insecure devices like routers. Once a device was infected, it was conscripted into the botnet, ready to be commanded to launch DDoS attacks. By leveraging a massive number of compromised devices, the botnet could flood a target’s server with so much fake traffic that it would become unavailable to legitimate users.
The primary way Foltz and his co-conspirators monetized RapperBot was by selling access to the botnet’s attack capabilities. Paying customers could use the service to unleash DDoS attacks against any internet-connected target. From April 2025 to early August alone, the botnet targeted approximately 18,000 unique victims across various countries, including China, Japan, the United States, Ireland, and Hong Kong. The attacks were massive, with prosecutors alleging the botnet comprised 65,000 to 95,000 devices capable of generating attacks measuring between 2 and 3 Terabits per second (Tbps), with one attack likely exceeding 6 Tbps. Some of the botnet’s clients even used the attacks as a form of ransom, extorting money from victims. A 2023 report also detailed how the botnet expanded its operations into cryptojacking, illicitly using the compromised devices’ computing power to mine Monero cryptocurrency for additional profit.
The investigation into RapperBot’s operations was a collaborative effort involving multiple agencies and private sector partners. Amazon Web Services (AWS) played a crucial role, helping law enforcement identify the botnet’s command-and-control (C2) infrastructure and reverse-engineer the malware to map its operations. This technical assistance was key to the investigation, which ultimately traced the botnet to Foltz through IP address links to his online services, including his PayPal and Gmail accounts. Evidence also showed that Foltz had searched for “RapperBot” over 100 times, further linking him to the criminal enterprise. His arrest and the takedown of the botnet are part of a larger, ongoing international initiative called Operation PowerOFF, which aims to dismantle DDoS-for-hire services globally.
Ethan Foltz has been charged with one count of aiding and abetting computer intrusions. If convicted, he faces a maximum sentence of 10 years in prison. His case underscores the severe legal consequences for those who develop and operate cybercrime services, even from what might seem like a distance. The coordinated action in this case, spanning multiple countries and involving both law enforcement and private tech companies, highlights the increasing commitment to disrupting the financial incentives and technical infrastructure that fuel the DDoS-for-hire market. It sends a clear message that these “booter” or “stresser” services, which lower the barrier to entry for cyberattacks, are being aggressively targeted and that the operators will be held accountable.
Reference:
