The U.S. Department of Justice has announced charges against Ethan Foltz, a 22-year-old man from Eugene, Oregon, accused of running a powerful cyber weapon called RapperBot. According to investigators, the botnet was used to launch over 370,000 cyberattacks against victims in more than 80 countries.
Authorities say the botnet was capable of overwhelming computers, servers, and even entire networks by sending huge floods of unwanted internet traffic. This type of attack is known as a Distributed Denial-of-Service (DDoS) attack. Victims are left unable to access their systems, often causing major disruptions.
The Department of Justice revealed that Foltz acted as the administrator of the botnet. He oversaw its operations and allegedly provided paying customers with access to the platform. The system was so large and powerful that it could launch attacks reaching speeds of over 6 terabits per second, one of the highest ever recorded.
Officials confirmed that the botnet was dismantled earlier this month when law enforcement gained control of its infrastructure. This action is part of Operation PowerOFF, an international campaign aimed at shutting down DDoS-for-hire services worldwide.
Illumina fined $9.8M for selling DNA sequencers with cybersecurity flaws to U.S. agencies
How RapperBot Worked
RapperBot, also called “Eleven Eleven Botnet” and “CowBot,” is a malicious network that infected common devices found in homes and businesses. These included Wi-Fi routers, digital video recorders (DVRs), and other internet-connected equipment. Once compromised, the devices were turned into “zombie” machines that followed commands from the botnet operator.
The system spread itself by breaking into devices through brute-force attacks on SSH and Telnet, two common ways of connecting to equipment over the internet. By guessing passwords repeatedly, the malware gained entry and then installed itself. Once inside, the device became part of the botnet army.
Cyber experts say RapperBot was heavily inspired by earlier botnets such as Mirai and fBot (Satori). However, RapperBot expanded its abilities. Beyond launching cyberattacks, reports from Fortinet showed it also hijacked computing power to secretly mine cryptocurrency like Monero. This allowed its controllers to profit not only by selling DDoS attacks but also by exploiting victims’ hardware for digital coins.
Investigators linked RapperBot to attacks against businesses and organizations in several countries, including the United States, China, Japan, Ireland, and Hong Kong. Between April and early August 2025 alone, the botnet targeted around 18,000 unique victims. Many of the attacks were so powerful that experts believe some may have been attempts at ransom. In these cases, attackers threaten to keep attacking unless the victim pays money to stop it.
🇨🇳 Chipgate — DOJ charges Chinese nationals in covert scheme to move Nvidia’s AI tech to Beijing
Tracing the Mastermind
Law enforcement teams worked across borders to identify the person behind RapperBot. Investigators say they followed digital trails left behind by Foltz. Records showed connections between the botnet and online accounts linked to him, including PayPal, Gmail, and his internet service provider.
In addition, search history records revealed that Foltz had looked up the term “RapperBot” or “Rapper Bot” more than 100 times. This detail, combined with other digital evidence, helped authorities build their case.
On August 6, 2025, agents carried out a search at Foltz’s residence in Eugene, Oregon. They seized electronic devices and also took administrative control of the botnet’s servers. This effectively cut off attackers from using the network for new campaigns.
Foltz has been charged with aiding and abetting computer intrusions, a serious federal crime. If found guilty, the maximum penalty could be up to 10 years in prison.
The takedown of RapperBot marks one of the largest disruptions of a DDoS-for-hire service to date. With tens of thousands of infected devices under its control, the botnet had become a global threat, capable of crippling websites, businesses, and online services within minutes.
