Article Details

“Rapper Bot” malware seized, alleged developer identified and charged. The U.S. Department of Justice (DoJ) announced charges against the alleged developer and administrator of the "Rapper Bot" DDoS-for-hire botnet. Ethan Foltz, 22, of Eugene, Oregon, allegedly rented the botnet to cybercriminals eho targeted various organizations. The botnet operation itself was seized as part of ‘Operation PowerOff ‘on August 6, during a raid at Foltz’s residence in Oregon. The Mirai-based malware botnet, which is also known as “Eleven Eleven” and “CowBot,” has been active since at least 2021 and infected tens of thousands of Digital Video Recorders (DVRs) and router devices. The firepower ranged between 2 to 6 Tbps (terabits per second). The U.S. DoJ announcement explains that Rapper Bot was used to target over 18,000 entities across 80 countries, including U.S. government systems, major media platforms, gaming companies, and large tech firms. In 2023, Rapper Bot added a cryptomining module to diversify its revenue stream and maximize profits from compromised devices. Amazon Web Services (AWS), which helped with tracing Rapper Bot's command and control infrastructure and assisted U.S. law enforcement with actionable intelligence, reports that since April 2025, Rapper Bot launched 370,000 attacks. These attacks ranged from several terabits to over 1 billion packets per second (pps), with the power coming from more than 45,000 compromised devices across 39 countries. Even they last a short period, the attacks can cost victims thousands of US dollars, says the DoJ, and extortion is often involved. “The criminal complaint details that a DDoS attack averaging over two Terabits per second lasting 30 seconds might cost a victim anywhere from $500 to $10,000,” explained the DoJ. “It is also alleged that some Rapper Bot customers used extortion demands, leveraging the DDoS attack volumes of the Botnet to extort victims.” Foltz was charged with aiding and abetting computer intrusions, which carries a maximum sentence of up to ten years in prison if convicted. Currently, though, Foltz remains free. He was issued a summons following the filing of the criminal complaint. The Rapper Bot has not shown any signs of resurgence in malicious activity following the seizure of its infrastructure by the authorities on August 6, so the existence of backup C2s controlled by other operators seems unlikely at this point. Picus Blue Report 2025 is Here: 2X increase in password cracking 46% of environments had passwords cracked, nearly doubling from 25% last year. Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.