In a significant blow against global cybercrime, federal authorities have charged a 22-year-old Oregon man with allegedly developing and administering one of the most powerful distributed denial-of-service (DDoS) botnets in existence. Ethan Foltz, of Eugene, Oregon, faces serious charges in connection with the sophisticated operation known as “Rapper Bot,” a network accused of unleashing large-scale cyberattacks on targets across more than 80 countries, including X (formerly Twitter) and U.S. government networks. This breaking news highlights the ongoing efforts by law enforcement to dismantle illicit digital infrastructures.
The Charges and a Global Disruption
Ethan Foltz was charged by federal criminal complaint in the District of Alaska with one count of aiding and abetting computer intrusions. The charges follow an intensive investigation that culminated on August 6, 2025, when federal agents executed a search warrant at Foltz’s residence. During the operation, law enforcement successfully terminated Rapper Bot’s attack capabilities and seized administrative control of the botnet’s infrastructure. Since this decisive action, private sector partners have reported no further Rapper Bot attacks, marking a crucial disruption in the landscape of cyberthreats.
The case is being prosecuted by Assistant U.S. Attorney Adam Alexander, primarily handling child exploitation and cybercrime offenses in the District of Alaska. The lead investigative agency is the Defense Criminal Investigative Service (DCIS), the criminal investigative division of the Department of Defense (DoD) Office of Inspector General. This joint effort, which involved assistance from major private sector partners like Akamai, Amazon Web Services, Cloudflare, Google, and PayPal, underscores the collaborative approach required to combat complex transnational cybercriminal enterprises.
Anatomy of a Digital Weapon: Rapper Bot’s Capabilities
Described by prosecutors as “one of the most sophisticated and powerful DDoS-for-hire Botnets currently in existence,” Rapper Bot, also known by aliases such as “Eleven Eleven Botnet” and “CowBot,” has been operational since at least 2021. The botnet’s methodology involved compromising vulnerable Internet of Things (IoT) devices, particularly digital video recorders (DVRs) and Wi-Fi routers, by infecting them with specialized malware. Once enslaved, these devices were compelled to send massive volumes of “Distributed Denial of Service” (DDoS) traffic to victim computers and servers worldwide.
Rapper Bot distinguished itself with its immense attack capabilities. It typically harnessed between 65,000 and 95,000 infected devices to conduct DDoS attacks that commonly measured between two to three terabits per second (Tbps). Alarmingly, some of its largest recorded attacks are alleged to have exceeded six terabits per second, a volume capable of overwhelming even the most robust online defenses. For context, one source noted that a 6.3 Tbps attack was, at the time, the largest DDoS attack Google had ever mitigated, illustrating the sheer destructive power attributed to Rapper Bot. The botnet improved upon the Mirai malware foundation, integrating brute-force capabilities to crack SSH keys and obfuscation techniques to evade detection.
Broad Reach and Profiteering Through Extortion
The scope of Rapper Bot’s malicious activities was truly global. Investigations revealed that the botnet targeted victims across more than 80 countries, with a notable concentration of attacks in China, Japan, the United States, Ireland, and Hong Kong. High-profile targets included a U.S. government network, a popular social media platform (identified as X, which experienced intermittent outages in March 2025), and numerous U.S. tech companies. From April 2025 until its recent shutdown, Rapper Bot allegedly conducted over 370,000 attacks against approximately 18,000 unique victims.
Foltz and his alleged co-conspirators are accused of monetizing Rapper Bot by offering it as a “DDoS-for-hire” service to paying customers. These customers, including those involved in online gambling operations, allegedly leveraged the botnet’s formidable attack volumes for extortion schemes, threatening victims with devastating attacks unless payments, often in cryptocurrency, were made. The financial impact on victims was substantial; a single 30-second DDoS attack averaging over two terabits per second could incur costs ranging from $500 to $10,000 in lost revenue, bandwidth usage, and resources dedicated to mitigation. Furthermore, Rapper Bot reportedly expanded its illicit activities to include cryptojacking in 2023, illicitly mining Monero using compromised devices’ compute resources.
The Road Ahead: Legal Ramifications and Broader Implications
If convicted of aiding and abetting computer intrusions, Ethan Foltz faces a maximum penalty of 10 years in prison. This legal action is part of a broader, ongoing international initiative known as Operation PowerOFF, which aims to dismantle criminal DDoS-for-hire infrastructures worldwide. The successful seizure of Rapper Bot highlights the persistent and evolving threat posed by large-scale botnets and the critical importance of international cooperation between law enforcement agencies and private cybersecurity firms.
The charges against Foltz send a clear message to those engaged in cybercrime: the global community is increasingly equipped and determined to track, apprehend, and prosecute individuals who threaten digital security and economic stability. The successful disruption of the Rapper Bot botnet marks a significant victory in the continuous fight against malicious online activities, safeguarding critical infrastructure and social platforms from devastating cyberattacks. The ongoing news and developments in this case will be closely watched by cybersecurity experts and the public alike.
