A 22-year-old man from the U.S. state of Oregon has been charged with allegedly developing and overseeing a distributed denial-of-service (DDoS)-for-hire botnet called RapperBot.
Ethan Foltz of Eugene, Oregon, has been identified as the administrator of the service, the U.S. Department of Justice (DoJ) said. The botnet has been used to carry out large-scale DDoS-for-hire attacks targeting victims in over 80 countries since at least 2021.
Foltz has been charged with one count of aiding and abetting computer intrusions. If convicted, he faces a maximum penalty of 10 years in prison. In addition, law enforcement authorities conducted a search of Foltz’s residence on August 6, 2025, seizing administrative control of the botnet infrastructure.
“RapperBot, aka ‘Eleven Eleven Botnet’ and ‘CowBot,’ is a Botnet that primarily compromises devices like Digital Video Recorders (DVRS) or Wi-Fi routers at scale by infecting those devices with specialized malware,” the DoJ said.
“Clients of Rapper Bot then issue commands to those infected victim devices, forcing them to send large volumes of ‘distributed denial-of-service’ (DDoS) traffic to different victim computers and servers located throughout the world.”
Heavily inspired by fBot (aka Satori) and Mirai botnets, RapperBot is known for its ability to break into target devices using SSH or Telnet brute-force attacks and co-opt them into a malicious network capable of launching DDoS attacks. It was first publicly documented by Fortinet in August 2022, with early campaigns observed as far back as May 2021.
A 2023 report from Fortinet detailed the DDoS botnet’s expansion into cryptojacking, profiting off the compromised devices’ compute resources to illicitly mine Monero and maximize value. Earlier this year, RapperBot was also implicated in DDoS attacks targeting DeepSeek and X.
Foltz and his co-conspirators have been accused of monetizing RapperBot by providing paying customers access to a powerful DDoS botnet that has been used to conduct over 370,000 attacks, targeting 18,000 unique victims across China, Japan, the United States, Ireland and Hong Kong from April 2025 to early August.
Prosecutors also allege that the botnet comprised roughly 65,000 to 95,000 infected victim devices to pull off DDoS attacks that measured between two and three Terabits per second (Tbps), with the largest attack likely exceeding 6 Tbps. Furthermore, the botnet is believed to have been used to carry out ransom DDoS attacks aiming to extort victims.
The investigation traced the botnet to Foltz after uncovering IP address links to various online services used by the defendant, including PayPal, Gmail, and the internet service provider. Foltz is also said to have searched on Google for references to “RapperBot” or “Rapper Bot” over 100 times.
The disruption of RapperBot is part of Operation PowerOFF, an ongoing international effort that’s designed to dismantle criminal DDoS-for-hire infrastructures worldwide.
