US Authorities Seize ‘Rapper Bot’ Malware; Oregon Man Charged

Federal officials dismantled a massive botnet-for-hire operation linked to global cyberattacks and charged its alleged creator.

Alleged developer behind botnet-for-hire identified

The US Department of Justice (DoJ) announced this week that it has charged 22-year-old Ethan Foltz, a resident of Eugene, Oregon, with operating the “Rapper Bot” malware network. Investigators allege that Foltz developed and rented the bot network to cybercriminals who attacked thousands of organizations worldwide.

The Aug. 6 takedown, conducted under the international “Operation PowerOff,” culminated with a raid at Foltz’s residence, where officers allegedly seized the botnet’s infrastructure. Authorities say the system, also known as “Eleven Eleven” and “CowBot,” had operated since at least 2021.

A powerful network of compromised devices

Rapper Bot was based on Mirai malware, a notorious strain first uncovered in 2016. Investigators say the network infected tens of thousands of internet-connected devices, particularly DVRs and home routers, allowing attackers to generate massive distributed denial-of-service (DDoS) traffic.

At its peak, the botnet could deliver between two and six terabits per second of attack traffic, disrupting systems across 80 countries. Victims included US government agencies, gaming platforms, media outlets, and major tech companies.

Expanding capabilities and financial impact

In 2023, Rapper Bot operations added a cryptomining feature to squeeze additional revenue from hijacked machines. By April 2025, Amazon Web Services (AWS) reported that the botnet had launched more than 370,000 attacks, drawing power from over 45,000 compromised devices in nearly 40 countries.

Even short-lived assaults inflicted severe financial damage. The DoJ noted that a 30-second strike averaging two terabits per second could cost victims anywhere from $500 to $10,000, with some attackers leveraging this power to extort payments.

Charges and current status

Foltz faces charges of aiding and abetting computer intrusions, an offense carrying a potential 10-year prison sentence. However, he has not been taken into custody; instead, a summons was issued after the complaint was filed.

Since authorities seized Rapper Bot’s infrastructure, no signs of renewed malicious activity have surfaced, leading investigators to believe that no backup servers remain under the control of other operators.