Rapper Bot Admin Receives Federal Charges
Since at least 2021, a powerful Mirai-based threat known as Rapper Bot, also known as Eleven Eleven or CowBot, has quietly targeted millions of internet-connected devices worldwide. Recently, a coordinated law enforcement action dismantled the operation and brought charges against its alleged administrator, offering a cautionary tale about the increasing sophistication of botnets and their impact on everyday digital security. The events also show that threat actors are not immune to possible prosecution.
Cybersecurity researchers first observed the emergence of Rapper Bot in 2022, when it appeared in an offensive campaign with a distinct focus on online gaming servers. Using techniques inspired by Mirai malware, the botnet infiltrated vulnerable Internet-of-Things (IoT) devices, such as DVRs and routers, by brute-forcing access via Telnet. The malware then turned those compromised devices into a bot network that would be used to carry out Distributed Denial-of-Service (DDoS) attacks specifically designed to disrupt game servers.
Though the full scope of Rapper Bot's objectives remained unclear at the time, security analysts recognized that this campaign marked a more targeted and malicious use of IoT infrastructure to attack legitimate services and create cyber chaos. Over time, Rapper Bot expanded its reach and potency. Authorities now estimate that between 65,000 and 95,000 devices were compromised across dozens of countries, including digital video recorders and routers that unwittingly participated in worldwide cyberattacks.
From early 2025, these infected devices launched over 370,000 DDoS attacks, generating network traffic ranging from 2 to 3 terabits per second, with peaks exceeding 6 terabits per second. Some attacks overwhelmed network defenses with over 1 billion packets per second, and leveraged over 45,000 devices across 39 countries. To further boost the financial viability of the malware-as-a-service (MaaS), the malware included a crypto miner that used device resources to mine cryptocurrency as early as the second quarter of 2022.
These attacks should not be considered a mere nuisance. Even brief bursts at this scale could cost victims, including public institutions, between 500 USD and 10,000 USD in direct damages, not including indirect losses such as downtime and reputational damage. In many cases, attackers used the threat of sustained cyber-attacks as leverage in extortion.
The Legal Hammer Comes Down on Rapper Bot
The U.S. Department of Justice (DOJ) announced that on August 6, 2025, federal agents executed a search warrant at the residence of Ethan Foltz, a 22-year-old from Eugene, Oregon, whom they identified as the developer and administrator of Rapper Bot. That operation, part of a broader initiative dubbed Operation PowerOff, led to the seizure of the botnet's infrastructure and effectively dismantled its DDoS capabilities.
According to DOJ documents, Foltz and his co-conspirators monetized Rapper Bot by renting access to paying clients, enabling them to launch disruptive attacks on over 18,000 unique targets in more than 80 countries, including U.S. government systems, major media platforms, gaming companies, and tech firms.
Following the seizure, private-sector partners, like Amazon Web Services, which helped trace the botnet's command and control structure, reported no further Rapper Bot attacks. U.S. Attorney Michael J. Heyman for the District of Alaska would state regarding the matter,
Rapper Bot was one of the most powerful DDoS botnets to ever exist, but the outstanding investigatory work by DCIS cyber agents and support of my office and industry partners has put an end to Foltz's time as administrator and effectively disrupted the activities of this transnational criminal group. Our office remains committed to disrupting and dismantling cyber criminals that threaten internet security and infrastructure in the District of Alaska and across the United States.
Special Agent in Charge Kenneth DeChellis of the Department of Defense Office of Inspector General, DCIS, Cyber Field Office, would go on record to say the following regarding U.S. law enforcement's commitment to prosecuting threat actors,
Today's announcement highlights the ongoing efforts by law enforcement to disrupt and dismantle emerging cyber threats targeting the Department of Defense and the defense industrial base. The Rapper Bot malware was a clear threat, and the focused efforts of DCIS, our industry partners, and the federal prosecutors at the U.S. Attorney's Office in Alaska, sends a clear signal to those who would harm the DoD's personnel, infrastructure, and intellectual property, that their actions will come at a cost.
As to why the malware operation drew the attention of law enforcement, Rapper Bot stood out in several ways that made it particularly dangerous to everyday online safety:
- Scale: By compromising tens of thousands of devices, it mounted some of the largest DDoS attacks recorded, with traffic volumes far exceeding typical cybersecurity defenses.
- Diverse Target Base: The botnet hit critical infrastructures like government networks and large technology platforms, showing it posed threats to services people rely on daily.
- Monetization via Dual Revenue Streams: In 2023, the botnet incorporated a cryptomining component to extract additional revenue from infected machines and offer cyberattacks as a paid service ("DDoS-for-hire").
- Widespread Geographic Footprint: With attacks spanning more than 80 countries and involving infected devices worldwide, the botnet exemplified how cyber threats can easily cross borders.
- Financial and Operational Cost: Even short floods of traffic could cost targets thousands of dollars, straining their capacity to respond to and mitigate attacks.
In summary, a dangerous Mirai-based botnet known as Rapper Bot operated for years by infecting IoT devices and renting them out for crippling, high-volume DDoS attacks. Its operators even added cryptomining attacks to expand profits. In August 2025, law enforcement seized control, charged the alleged operator, and effectively ended one of the most destructive botnet operations in recent memory. For laypeople, this case underscores the importance of securing everyday devices and understanding how cyber threats can emerge, evolve, and be stopped through collective effort.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion