On 6 August 2025, U.S. federal prosecutors charged Ethan Foltz, 22, of Eugene, Oregon, with developing and administering the “Rapper Bot” botnet – a massive cybersecurity threat used to launch more than 370,000 Distributed Denial of Service (DDoS) attacks worldwide. Authorities say the botnet, one of the largest of its kind, has now been dismantled in a joint U.S. and international operation.
Court documents reveal that Rapper Bot – also known as “Eleven Eleven Botnet” and “CowBot” – has been active since at least 2021. It primarily compromised Digital Video Recorders (DVRs) and Wi-Fi routers, infecting up to 95,000 devices simultaneously. Once under control, these devices were weaponized to launch coordinated DDoS attacks, often measuring 2–3 terabits per second (Tbps), with one attack reportedly peaking above 6 Tbps.
Scale of Impact
Between April 2025 and August 2025 alone, investigators say Rapper Bot executed over 370,000 DDoS attacks against 18,000 unique victims in more than 80 countries, including:
- A U.S. government network
- A major social media platform
- Several U.S. technology companies
The botnet also forcibly conscripted devices in Alaska into its attacks, illustrating its indiscriminate global reach.
Financial and Security Fallout
Economic Impact
The complaint estimates that a 30-second DDoS flood at 2 Tbps could cost victims between $500 and $10,000 in downtime, lost revenue, and remediation. Beyond direct costs, Rapper Bot customers allegedly leveraged extortion tactics, threatening prolonged attacks unless payments were made.
National Security Concerns
The U.S. Department of Defense and its industrial base were among Rapper Bot’s potential targets. Officials described the botnet as a “clear threat” to critical infrastructure.
Law Enforcement Response
Takedown and Seizure
On 6 August 2025, investigators executed a search warrant at Foltz’s residence in Oregon. The operation resulted in:
- Seizure of administrative control over Rapper Bot
- Termination of its attack infrastructure
- Transfer of botnet control to the Defense Criminal Investigative Service (DCIS)
Since then, no new Rapper Bot activity has been observed.
Operation PowerOFF
The takedown was part of Operation PowerOFF, a multinational effort to dismantle DDoS-for-hire services. Partners included the U.S. Attorney’s Office for the District of Alaska, Akamai, Amazon Web Services, Cloudflare, Digital Ocean, Flashpoint, Google, PayPal, and Unit 221B.
Official Statements
“Rapper Bot was one of the most powerful DDoS botnets to ever exist, but the outstanding investigatory work by DCIS cyber agents and industry partners has put an end to Foltz’s time as administrator,” said U.S. Attorney Michael J. Heyman for the District of Alaska (6 August 2025).
“This malware was a clear threat to the Department of Defense and the defense industrial base. The joint efforts of DCIS, our partners, and federal prosecutors send a clear signal: such actions will come at a cost,” said Special Agent in Charge Kenneth DeChellis, DCIS Cyber Field Office (6 August 2025).
Global and Regional Context
Worldwide DDoS-for-Hire Crackdowns
Rapper Bot’s dismantling comes amid a broader crackdown on booter/stresser services, which have surged in power due to growing IoT exposure. Recent law enforcement actions in Europe and Asia reflect the global priority to curb such botnets.
MEA Perspective
While no Middle East or Africa–specific victims were named in court filings, experts caution that the region is equally vulnerable. With many ISPs and enterprises still relying on unpatched routers and DVRs, the MEA could become fertile ground for similar IoT-based botnets unless security services and regulations evolve to enforce stronger controls.
Technical Note: MITRE ATT&CK Mapping
- Initial Access: Exploitation of public-facing IoT devices (T1190)
- Execution: Malware on DVRs/Routers (T1059)
- Command & Control: Centralized botnet infrastructure leveraging infected nodes (T1071)
- Impact: Network DoS (T1498), Service DoS (T1499)
Actionable Takeaways for CISOs and Defenders
- Audit and patch IoT devices, especially DVRs, routers, and Wi-Fi gear.
- Implement DDoS mitigation services via cloud providers or on-premises appliances.
- Monitor outbound traffic for anomalies consistent with botnet behavior.
- Disable unnecessary services on internet-exposed devices.
- Use strong authentication and MFA for all device administration.
- Segment IoT/OT networks from critical IT environments.
- Collaborate with ISPs for upstream filtering of volumetric attacks.
- Participate in industry information-sharing groups for early threat alerts.
- Develop an incident response playbook specifically for large-scale DDoS scenarios.
- Invest in user awareness training to reduce device misconfiguration risks.
Conclusion
The takedown of Rapper Bot highlights both the growing power of IoT-driven botnets and the importance of coordinated, international law enforcement action. For security leaders, the case underscores a sobering truth: legacy devices remain the Achilles’ heel of global networks. As law enforcement cracks down, organizations must bolster defenses to avoid becoming unwitting participants in the next large-scal
