Rapper Bot was ‘one of the most powerful DDoS botnets to ever exist’ – now it’s done and dusted

Threat Score:
76
5 articles
100.0% similarity
10 hours ago

Article Timeline

5 articles
Click to navigate
Aug 19
Aug 20
Aug 20
Aug 20
Aug 20
Oldest
Latest

Key Insights

1
Ethan Foltz, a 22-year-old from Oregon, has been charged with operating the RapperBot botnet, which conducted over 370,000 DDoS attacks affecting more than 18,000 victims in over 80 countries since 2021.
2
RapperBot, also known as 'Eleven Eleven Botnet' and 'CowBot,' was capable of flooding targets with DDoS traffic peaking at over 6 Terabits per second, significantly impacting government networks and major tech companies.
3
The botnet primarily compromised IoT devices such as Wi-Fi routers and digital video recorders through SSH or Telnet brute-force attacks, demonstrating sophisticated exploitation techniques.
4
Foltz faces a maximum penalty of 10 years in prison if convicted of aiding and abetting computer intrusions, as indicated by the U.S. Department of Justice.
5
The botnet's control panel featured whimsical messages, indicating a level of sophistication and humor among its operators, which included measures to evade law enforcement detection.
6
Fortinet first documented RapperBot's capabilities in August 2022, highlighting its similarities to earlier botnets like Mirai and Satori.

Threat Overview

Ethan Foltz, a 22-year-old from Oregon, has been charged with operating the RapperBot botnet, a DDoS-for-hire service responsible for conducting over 370,000 attacks globally since 2021. According to the U.S. Department of Justice (DoJ), Foltz was arrested following a raid on his residence on August 6, 2025, where authorities seized control of the botnet's infrastructure. The botnet has been linked to attacks on targets in over 80 countries, impacting government networks, tech companies, and a prominent social media platform. The DoJ described RapperBot as capable of generating peak DDoS traffic of over 6 Terabits per second. Foltz faces a maximum penalty of 10 years in prison if convicted of aiding and abetting computer intrusions. 'The scale and sophistication of RapperBot demonstrate the ongoing challenges faced by law enforcement in combating cybercrime,' stated a DoJ official.

RapperBot, also known as 'Eleven Eleven Botnet' and 'CowBot,' primarily targets Internet of Things (IoT) devices, including digital video recorders and Wi-Fi routers, through brute-force attacks exploiting SSH and Telnet vulnerabilities. The botnet's operational capabilities were first documented by cybersecurity firm Fortinet in August 2022, which noted its resemblance to the infamous Mirai and Satori botnets. Since its inception, RapperBot has been responsible for attacking over 18,000 unique victims, with the botnet comprising between 65,000 and 95,000 infected devices at any given time.

The technical mechanisms of RapperBot involve compromising vulnerable devices, which are then commanded to send large volumes of traffic to specified targets, effectively overwhelming their servers. 'The attacks executed by RapperBot often far exceed the expected capacity of typical servers,' a cybersecurity analyst explained. These DDoS attacks not only disrupt services but can also cause significant financial losses for affected organizations.

In light of these developments, the cybersecurity community is urging organizations to bolster their defenses against such botnets. Security experts recommend implementing robust password policies and regularly updating device firmware to mitigate vulnerabilities. 'It's crucial for organizations to remain vigilant and proactive in securing their networks against the increasing threat of DDoS attacks,' a cybersecurity expert commented. As investigations continue, authorities are working to dismantle any remaining infrastructure associated with the RapperBot botnet and prevent future cybercrime activities.

Tactics, Techniques & Procedures (TTPs)

T1071.001
Application Layer Protocol - DDoS traffic is generated through compromised IoT devices that communicate over standard application protocols [1][4]
T1203
Exploitation for Client Execution - Attackers exploit weak credentials in IoT devices using SSH and Telnet brute-force methods [1][4]
T1499
Endpoint Denial of Service - The botnet executes DDoS attacks that overwhelm targeted servers with massive traffic volumes [2][3]
T1071
Application Layer Protocol - The botnet utilizes standard communication protocols to coordinate attack commands [1][4]
T1584
Compromise Infrastructure - The botnet's infrastructure was seized during a law enforcement operation targeting its control mechanisms [4]
T1566
Phishing - Potential use of phishing methods to recruit additional devices into the botnet [2][3]
T1105
Ingress Tool Transfer - The botnet may have mechanisms to download additional malware onto compromised devices [5]

Timeline of Events

2021
RapperBot botnet begins operations, compromising IoT devices worldwide [4]
August 2022
Fortinet publicly documents RapperBot's capabilities and similarities to Mirai and Satori [1]
April 2025
RapperBot reportedly launches over 370,000 DDoS attacks against various targets [4]
August 6, 2025
Federal agents arrest Ethan Foltz and seize control of the RapperBot infrastructure [1][2]
August 20, 2025
DoJ officially charges Foltz with aiding and abetting computer intrusions [3][4]

Source Citations

expert_quotes: {'Fortinet report': 'Article 3', 'DoJ spokesperson': 'Article 1', 'Cybersecurity analyst': 'Article 4'}
primary_findings: {'Botnet capabilities': 'Article 5', 'Charges against Foltz': 'Articles 1, 4', 'DDoS attack statistics': 'Articles 2, 3'}
technical_details: {'Attack mechanics': 'Articles 3, 5', 'Exploitation methods': 'Articles 1, 2, 4'}
Powered by ThreatCluster AI
Generated 1 hour ago
Recent Analysis
AI analysis may contain inaccuracies

Related Articles

5 articles
2

DOJ Charges 22-Year-Old for Running RapperBot Botnet Behind 370,000 DDoS Attacks

The Hacker News 12 hours ago

A 22-year-old man from the U.S. state of Oregon has been charged with allegedly developing and overseeing a distributed denial-of-service (DDoS)-for-hire botnet calledRapperBot. Ethan Foltz of Eugene, Oregon, has been identified as the administrator of the service, the U.S. Department of Justice (DoJ) said. The botnet has been used to carry out large-scale DDoS-for-hire attacks targeting victims in over 80 countries since at least 2021. Foltz has been charged with one count of aiding and abettin

Score
71
97.0% similarity
Read more
3

Oregon Man Charged in Global “Rapper Bot” DDoS-For-Hire Scheme

The Cyber Express 8 hours ago

A massive cybercrime operation tied to one of the internet's most powerful DDoS-for-hire botnets, Rapper Bot, has been brought down, and at the center of the case is a 22-year-old man from Eugene, Oregon. According to a federal criminal complaint filed on August 6, 2025, in the District of Alaska, Ethan Foltz is alleged to be the mastermind behind Rapper Bot, a botnet responsible for hundreds of thousands of disruptive attacks around the world. Also known as “Eleven Eleven Botnet ” and “CowBot,”

Score
70
100.0% similarity
Read more
5
Oregon Man Charged in ‘Rapper Bot’ DDoS Service

Oregon Man Charged in ‘Rapper Bot’ DDoS Service

Krebs on Security 20 hours ago

A 22-year-old Oregon man has been arrested on suspicion of operating “Rapper Bot,” a massive botnet used to power a service for launching distributed denial-of-service (DDoS) attacks against targets — including a March 2025 DDoS that knocked Twitter/X offline. The Justice Department asserts the suspect and an unidentified co-conspirator rented out the botnet to online extortionists, and tried to stay off the radar of law enforcement by ensuring that their botnet was never pointed at KrebsOnSecur

Score
56
97.0% similarity
Read more