RapperBot, the network used for DDoS attacks, spoiled

On September 19, 2025, the U.S. Department of Justice announced charges against a U.S. citizen for his alleged involvement in operating a botnet dedicated to distributed denial-of-service (DDoS) attacks. Ethan Foltz, 22, of Eugene, Oregon, was the alleged administrator of the RapperBot botnet, also known as Eleven Eleven Botnet and CowBot. This network was dedicated to infecting and controlling IoT devices, primarily video surveillance DVR and Wi-Fi routers, to launch massive DDoS attacks against victims in more than 80 countries.

According to the indictment, Foltz and his accomplices sold access to the botnet's capabilities. Between April and August 2025, RapperBot was allegedly used to launch more than 370,000 DDoS attacks against 18,000 unique victims. Among the organizations targeted were the U.S. government, technology companies, and social media platforms, according to court documents. Foltz has been charged with conspiracy to commit computer intrusion and faces up to 10 years in prison if convicted.

The Department of Justice states that RapperBot was dismantled in early August, following the execution of a search warrant at Foltz's residence in Oregon, which provided law enforcement with administrative control of the botnet.

RapperBot is estimated to have been using between 65,000 and 95,000 infected devices to launch attacks averaging 2 to 6 terabits per second. This botnet is based on Mirai code and had the ability to force credentials from different types of services and then establish persistence mechanisms once access was gained.