DOJ Shuts Down Rapper Bot Botnet After Global DDoS Attacks in 80 Countries

A 22-year-old Oregon man has been charged after U.S. officials dismantled Rapper Bot, a massive DDoS-for-hire botnet responsible for hundreds of thousands of attacks worldwide.

Quick Summary – TLDR:

• Ethan Foltz of Eugene, Oregon, has been charged with operating the Rapper Bot botnet, responsible for over 370,000 DDoS attacks globally.
• The botnet infected up to 95,000 IoT devices and conducted attacks peaking at over 6 terabits per second.
• Authorities gained control of the botnet after a search warrant and traced it through PayPal, Gmail, and IP addresses linked to Foltz.
• The case is part of Operation PowerOFF, an international crackdown on DDoS-for-hire services.

What Happened?

The U.S. Department of Justice has charged Ethan Foltz, a 22-year-old from Eugene, Oregon, for allegedly developing and managing Rapper Bot, one of the largest and most dangerous DDoS-for-hire botnets uncovered to date. After executing a search warrant on August 6, federal agents gained administrative control of the botnet and halted its operations.

📰 PRESS RELEASE 📰 Oregon man charged with administering “Rapper Bot” DDoS-for-hire | Botnet Computer intrusions and other cybercrimes are an investigative priority for DCIS. Learn more about our latest case at the 🔗: https://t.co/biHLzbtQ9g pic.twitter.com/CWeetk4KQM

— DoD Office of Inspector General (@DoD_IG) August 19, 2025

The botnet, also known as Eleven Eleven Botnet and CowBot, had been in operation since at least 2021, infecting IoT devices like DVRs and Wi-Fi routers to launch massive distributed denial-of-service (DDoS) attacks across 80 countries.

Global Scale and Devastating Impact

According to court documents and investigators:

• 370,000 DDoS attacks were linked to Rapper Bot between April and early August 2025.
• These attacks targeted 18,000 unique victims spread across 1,000 different networks.
• The botnet harnessed 65,000 to 95,000 infected devices at any given time.
• Attack traffic regularly reached 2 to 3 terabits per second, with the largest attack possibly exceeding 6 terabits per second.
• DDoS activity was heavily concentrated in China, Japan, the U.S., Ireland, and Hong Kong.
• Victims included a U.S. government network, tech companies, and social media platforms (though exact names were not disclosed).

Tracking the Botmaster

Foltz was identified after investigators connected hosting services used by Rapper Bot to a PayPal account he controlled. They then traced a single IP address used simultaneously for his Gmail, PayPal, and ISP accounts, despite his attempts to mask activity through VPNs.

Further digital forensics revealed:

• Over 100 Google searches for “RapperBot” or “Rapper Bot” by Foltz.
• Links to botnet code derived from Mirai, Tsunami, and fBot malware.
• Evidence of the botnet’s expansion into cryptojacking, using devices to mine Monero cryptocurrency.
• Allegations of ransom DDoS attacks, potentially extorting victims.

During a recorded interview, Foltz admitted to being the primary administrator and identified his main collaborator only as “SlayKings”. At the request of investigators, Foltz voluntarily shut down Rapper Bot’s attack functions and turned over control to authorities.

International Law Enforcement Effort

The takedown was part of Operation PowerOFF, a global initiative targeting DDoS-for-hire services. It follows a broader crackdown in December 2024, where 27 domains tied to similar services were seized.

Multiple major companies collaborated with investigators, including:

• Amazon Web Services
• Google
• PayPal
• Cloudflare
• Digital Ocean
• Akamai
• Flashpoint
• Unit 221B

AWS alone helped trace and map Rapper Bot’s command-and-control infrastructure, and confirmed infection of over 45,000 devices across 39 countries.

SQ Magazine Takeaway

Honestly, this one is massive. A single person running a botnet that could flood networks with 6 terabits of data per second is wild. It shows how dangerous unsecured devices can become in the wrong hands. I’m glad law enforcement not only stopped the attacks but also exposed the inner workings of such a sophisticated system. What blows my mind is how this botnet lived in plain sight for years, renting out attacks like a dark web Uber. This case should be a wake-up call for companies and everyday users to harden their devices and patch up vulnerabilities fast.