DOJ charges 22-year-old accused RapperBot botmaster

A 22-year-old man from Oregon, Ethan Foltz, has been charged with allegedly developing and managing a distributed denial-of-service (DDoS)-for-hire botnet known as RapperBot. The U.S. Department of Justice (DoJ) reported that this botnet has been responsible for large-scale DDoS attacks targeting victims in over 80 countries since at least 2021. Foltz faces one count of aiding and abetting computer intrusions, with a potential maximum penalty of 10 years in prison if convicted. Law enforcement authorities executed a search warrant at Foltz’s residence on August 6, 2025, seizing control of the botnet infrastructure. RapperBot, also referred to as ‘Eleven Eleven Botnet’ and ‘CowBot,’ primarily compromises devices such as Digital Video Recorders (DVRs) and Wi-Fi routers by infecting them with specialised malware.

Clients of RapperBot can issue commands to these infected devices, compelling them to generate significant volumes of DDoS traffic directed at various victim computers and servers globally. Heavily inspired by the fBot (also known as Satori) and Mirai botnets, RapperBot employs SSH and Telnet brute-force attacks to infiltrate target devices. A 2023 report from Fortinet highlighted the botnet’s expansion into cryptojacking, exploiting compromised devices to mine Monero illicitly. Foltz and his co-conspirators are accused of monetising RapperBot, conducting over 370,000 attacks against 18,000 unique victims across multiple countries, including China, Japan, and the United States. The botnet is believed to have comprised between 65,000 and 95,000 infected devices, executing DDoS attacks that reached up to 6 Terabits per second. The investigation linked Foltz to the botnet through various online services, including PayPal and Gmail, and he reportedly searched for “RapperBot” over 100 times. The disruption of RapperBot is part of Operation PowerOFF, an international initiative aimed at dismantling criminal DDoS-for-hire networks worldwide.