Authorities have dismantled one of the largest Mirai-based DDoS-for-hire botnets, known as “Rapper Bot,” and identified its alleged creator.
What happened
The U.S. Department of Justice (DoJ) announced charges against Ethan Foltz, a 22-year-old from Eugene, Oregon, accused of developing and renting access to the Rapper Bot botnet. Foltz allegedly allowed cybercriminals to use the malware to launch massive distributed denial-of-service (DDoS) attacks against thousands of targets worldwide.
The botnet’s infrastructure was seized on August 6, 2025, during a raid at Foltz’s home, under an international law enforcement effort known as Operation PowerOff. Foltz now faces charges of aiding and abetting computer intrusions, which carries a possible sentence of up to ten years in prison.
Going deeper
Rapper Bot, also called “Eleven Eleven” and “CowBot,” has been active since at least 2021. The malware infected tens of thousands of internet-connected DVRs and routers, harnessing their computing power to fuel massive attacks. At peak strength, Rapper Bot could deliver between 2 and 6 terabits per second of traffic.
The botnet is linked to over 18,000 attacks across 80 countries, targeting government agencies, tech firms, media platforms, and gaming services. In 2023, its operators added a cryptomining module, allowing them to profit further from hijacked devices.
AWS assisted investigators in tracking the botnet’s command and control servers, reporting that since April 2025 alone, Rapper Bot launched more than 370,000 attacks using 45,000 compromised devices across 39 countries.
What was said
The DoJ detailed that even brief attacks had a serious financial impact. A 30-second DDoS attack averaging over 2 Tbps could cost victims anywhere from $500 to $10,000. Authorities added that some Rapper Bot users combined attacks with extortion, threatening to continue or escalate the disruption unless victims paid up.
Although Foltz was charged, he has not been detained. Prosecutors issued a summons following the filing of the criminal complaint. Authorities note there have been no signs of Rapper Bot activity since its seizure, making a comeback from backup servers unlikely.
The big picture
“Rapper Bot was one of the most powerful DDoS botnets to ever exist, but the outstanding investigatory work by DCIS cyber agents and support of my office and industry partners has put an end to Foltz’s time as administrator and effectively disrupted the activities of this transnational criminal group,” says U.S. Attorney Michael J. Heyman for the District of Alaska. “Our office remains committed to disrupting and dismantling cyber criminals that threaten internet security and infrastructure in the District of Alaska and across the United States.”
FAQs
What is a DDoS-for-hire service?
It’s a platform that lets paying customers launch distributed denial-of-service (DDoS) attacks without technical expertise, using hijacked devices to overwhelm targets with traffic.
How does a Mirai-based botnet like Rapper Bot spread?
These botnets typically exploit weak or default passwords on internet-connected devices like routers and DVRs, then add them to their network of controlled machines.
What was Operation PowerOff?
An international effort by law enforcement agencies and industry partners to dismantle illegal DDoS-for-hire services and prosecute their operators.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
Farah Amod
