Federal authorities have seized control of “Rapper Bot,” a massive DDoS-for-hire botnet responsible for more than 370,000 attacks worldwide, including strikes against US government systems and major tech firms.
The botnet's alleged administrator, 22-year-old Ethan Foltz of Eugene, Oregon, has been charged in the District of Alaska but was not arrested, only summoned to appear in court.
The criminal complaint, supported by a detailed affidavit from DCIS Special Agent Elliott R. Peterson, outlines how Foltz allegedly developed, operated, and monetized the botnet, which is also known as “CowBot” or “Eleven Eleven Botnet.” Built on the Mirai malware foundation and incorporating elements of fBot and Tsunami, Rapper Bot compromised tens of thousands of IoT devices globally, such as digital video recorders and home routers, to launch massive volumetric attacks, often exceeding 2-3 Terabits per second (Tbps), with peak attacks topping 6 Tbps.
Rapper Bot was dismantled on August 6, 2025, when federal agents executed a search warrant at Foltz's residence. During a recorded interview, Foltz admitted to being the botnet's primary administrator and voluntarily handed over access to the Command and Control (C2) infrastructure. The botnet's attack capabilities were disabled on the spot, and administrative control was transferred to the Defense Criminal Investigative Service (DCIS). No further attacks have been observed since.
A decentralized profitable DDoS-as-a-service
According to court records, Rapper Bot had between 65,000 and 95,000 infected devices under its control at any given time. The botnet supported a customer base of roughly a dozen paying clients, each given access to a segment of the botnet, typically 10,000 to 30,000 devices per user. Foltz and his partner, known only as “SlayKings,” reserved full access and unlimited attack durations for themselves. Attack limits, cooldown periods, and even “fake bot” counts were used to manage client expectations and maintain control over botnet performance.
The botnet's activity inflicted substantial economic harm. A single 30-second attack exceeding 2 Tbps could cost a victim between $500 and $10,000 in bandwidth and mitigation costs, based on industry averages. Victims included a major US social media platform (which suffered outages in March 2025), Department of Defense systems, and commercial hosting providers. Evidence also suggests that some clients used Rapper Bot to extort their targets, threatening to launch devastating attacks unless paid in cryptocurrency.
Telegram logs provided by Foltz and intercepted during the investigation show that Rapper Bot's operators regularly coordinated extortion campaigns, boasting of profits and mocking their victims' struggles. One extortion attempt sought $9,000 in Monero from a target after prolonged attacks. Foltz and his partner frequently discussed operational strategy, financial gains, and even rival botnet operators, specifically avoiding public stunts that could attract law enforcement attention, such as targeting journalist Brian Krebs.
AWS played a key role in the investigation by identifying Rapper Bot's C2 infrastructure and reverse-engineering the malware. Their analysis corroborated federal data showing over 370,000 attacks conducted since April 2025, targeting 18,000 unique victims in more than 80 countries. Google Cloud, Akamai, DigitalOcean, Cloudflare, and others also contributed to the takedown effort as part of Operation PowerOFF, an international law enforcement initiative targeting DDoS-for-hire services.
Leave a Reply