Feds charge alleged administrator of ‘sophisticated’ Rapper Bot botnet
A 22-year-old Oregon man has been charged with running a powerful botnet-for-hire service used to launch hundreds of thousands of cyberattacks worldwide, the U.S. Justice Department said on Tuesday.
Federal prosecutors said Ethan Foltz and accomplices made money by renting out Rapper Bot to paying customers. Those customers used it to flood websites and networks in more than 80 countries with massive distributed denial-of-service (DDoS) attacks. Some allegedly tried to extort victims, demanding payment in exchange for stopping the disruptions.
U.S. law enforcement searched Foltz’s home in Oregon earlier this month and seized Rapper Bot’s infrastructure, suspending its operations. During an interview with investigators, Foltz admitted to being the primary administrator of the botnet, which has been active since at least 2021, according to court filings. If convicted, he faces up to 10 years in prison.
The Justice Department described Rapper Bot — also known as “Eleven Eleven Botnet” and “CowBot” — as “one of the most sophisticated and powerful DDoS-for-hire botnets currently in existence.” Based on the Mirai malware code and incorporating features from Tsunami and fBot, Rapper Bot mainly hijacked digital video recorders (DVRs) and WiFi routers, connecting them tot of a global network of infected machines. Attackers then used this botnet to flood targets with junk traffic.
Between April 2025 and the present, Rapper Bot allegedly carried out more than 370,000 attacks against some 18,000 victims, the DOJ said. The top five countries hit were China, Japan, the U.S., Ireland and Hong Kong.
In the U.S, victims included a federal government network, a major social media company and several technology firms that provide services to the Department of Defense. Investigators also identified at least five infected devices in Alaska, where charges were filed, that were used to participate in attacks.
Prosecutors said some of the more lucrative campaigns targeted Chinese gambling websites, which Foltz acknowledged during questioning.
“There appeared to be an undercurrent of extortion with these attacks,” the Justice Department said.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.