Skip to main content
close search
site logo

US charges Oregon man in vast botnet-for-hire operation

Federal prosecutors called Rapper Bot one of the most powerful DDoS botnets in history.

Published Aug. 21, 2025
David Jones's headshot
Reporter
World image
Faruk Ibrahim Alpagut via Getty Images

Federal prosecutors on Tuesday charged an Oregon man for allegedly running a global botnet-for-hire operation called Rapper Bot that used hacked IoT devices to conduct large-scale distributed denial-of-service (DDoS) attacks.

Authorities charged Ethan Foltz, 22, with one count of aiding and abetting computer intrusions. Police executed a search warrant at Foltz’s house on Aug. 6, shut down the botnet and took control of its infrastructure, according to the U.S. Department of Justice.

Rapper Bot allegedly used between 65,000 and 95,000 infected devices for DDoS attacks that often measured between two and three terabits per second. The largest attack may have exceeded six terabits per second, prosecutors said.

Rapper Bot was “one of the most powerful DDoS botnets to ever exist,” said Michael Heyman, the U.S. attorney in Alaska, where authorities believe the botnet infected at least five devices.

The Defense Criminal Investigative Service (DCIS) is investigating the case because some of the attacks targeted U.S. defense contractors.

“The outstanding investigatory work by DCIS cyber agents and support of my office and industry partners has put an end to Foltz’s time as administrator and effectively disrupted the activities of this transnational criminal group,” Heyman said in a statement.

The botnet, also known as “Eleven11” and “CowBot,” compromised large numbers of Wi-Fi routers, digital video recorders and other internet-of-things devices with malware, which it then used to order the devices to target computers and servers around the world. 

Foltz allegedly monetized Rapper Bot by charging other cyber criminals to use it for attacks. In some cases, those criminals used the botnet for attacks that attempted to extort victims.

The botnet has conducted more than 370,000 attacks and infected more than 18,000 unique victims since April, prosecutors said. 

Victims were located in more than 80 countries, including several U.S. technology companies, a widely used social media platform and a U.S. government agency.

AWS said it helped reverse engineer the IoT malware and identified the command and control infrastructure. 

DOJ declined to share more information about the case. An attorney representing Foltz could not immediately be reached for comment.

Editors' picks

Company Announcements

View all | Post a press release
Tradewinds Networks, Inc., Unveils its Next-Generation Version GuardTower Threat Detection and…
From Tradewinds Networks, Inc.
August 05, 2025
DaVita Data Breach Investigated by Migliaccio & Rathod LLP
From Migliaccio & Rathod LLP
August 14, 2025
Highlands Oncology Data Breach Investigation
From Migliaccio & Rathod LLP
August 05, 2025
Vendict Raises $10M to Reinvent Compliance
From NY Tech's Cyber Division
August 05, 2025
Editors' picks
Latest in Threats
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.