The U.S. Department of Justice has charged a 22-year-old Oregon man for operating RapperBot, a large-scale botnet-for-hire that powered more than 370,000 DDoS attacks between April and August 2025. Built on tens of thousands of compromised IoT devices, the botnet was linked to some of the most disruptive attacks of the past year, including the March 2025 flood that knocked Twitter/X offline.
Federal agents arrested Ethan J. Foltz of Springfield, Oregon on August 6, seizing administrative control of RapperBot’s infrastructure. According to the criminal complaint, Foltz admitted to running the botnet together with a partner known online as “Slaykings.” The two split profits and rented out access to paying customers, many of whom used the service to extort businesses. Gambling operators in China were among the most frequent victims, but attacks were recorded across Japan, the United States, Ireland and Hong Kong.
RapperBot, also called “Eleven Eleven Botnet” and “CowBot in some instances,” is a direct descendant of the Mirai malware that has fueled some of the largest DDoS events since 2016. The botnet borrowed heavily from fBot, or Satori, and spread by brute-forcing Telnet and SSH credentials to compromise routers, DVRs and other IoT devices. Once infected, those devices became part of a network capable of overwhelming almost any online service. By the time of Foltz’s arrest, RapperBot had enslaved an estimated 65,000 to 95,000 devices worldwide.
The botnet was capable of launching floods that consistently measured between two and three terabits per second, with some campaigns exceeding six terabits. Investigators noted that such traffic volumes were hundreds of times greater than the typical capacity of a data center server. Most customers were only permitted to launch short, one-minute floods, but trusted clients were granted access to longer and more destructive campaigns. Beyond DDoS-for-hire, RapperBot was also used to hijack device computing resources to mine cryptocurrency, adding an extra revenue stream for its operators.
The investigation traced Foltz through a series of digital breadcrumbs. One of RapperBot’s command servers was hosted at an ISP in Arizona and paid for via PayPal. That account led investigators to Foltz’s Gmail address, which in turn revealed repeated Google searches for “RapperBot” and updates about competing botnets. When confronted, Foltz admitted his role and even provided chat logs detailing his collaboration with Slaykings. Just before his arrest, he told his partner that he had discovered 32,000 new vulnerable devices and declared, “Once again we have the biggest botnet in the community.”
RapperBot’s takedown was part of Operation PowerOFF, an international initiative to dismantle DDoS-for-hire services. Amazon Web Services supported the effort by helping identify command-and-control servers across 39 countries and reverse engineering the malware to map its operations. The case is being prosecuted in the District of Alaska, where some of the infected devices were located.
Although Foltz faces a maximum sentence of 10 years in prison, legal experts note that such an outcome is unlikely for a first-time conviction. Still, the disruption of RapperBot marks a significant milestone. Since Mirai’s source code was leaked nearly a decade ago, countless botnets have emerged by repurposing its methods, and RapperBot was one of the most notorious to date. Its fall demonstrates that law enforcement and industry cooperation can dismantle even large, well-managed DDoS operations — but it also serves as a reminder that the wider ecosystem of IoT botnets continues to evolve.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.For more information, visit https://fastnetmon.com