Oregon man charged with administering “Rapper Bot” DDoS-for-hire Botnet

ANCHORAGE, Alaska – An Oregon man was charged by a federal criminal complaint today in the District of Alaska on charges related to his alleged development and administration of the “Rapper Bot” DDoS-for-hire Botnet that has conducted large-scale cyber-attacks since at least 2021. 

According to court documents, investigators identified Ethan Foltz, 22, of Eugene, Oregon, as the alleged administrator of Rapper Bot.

Rapper Bot, aka “Eleven Eleven Botnet” and “CowBot,” is a Botnet that primarily compromises devices like Digital Video Recorders (DVRS) or WiFi routers at scale by infecting those devices with specialized malware. Clients of Rapper Bot then issue commands to those infected victim devices, forcing them to send large volumes of “Distributed Denial of Service” (DDoS) traffic to different victim computers and servers located throughout the world.

According to court documents, Foltz and his co-conspirators allegedly monetized Rapper Bot by providing select paying customers with access to one of the most sophisticated and powerful DDoS-for-hire Botnets currently in existence. It is alleged that Rapper Bot targeted victims in over 80 countries, including a U.S. government network, a popular social media platform and many U.S. tech companies. The criminal complaint details that partner data shows from April 2025 to present, Rapper Bot allegedly conducted over 370,000 attacks, targeting 18,000 unique victims.

The criminal complaint explains that Rapper Bot was allegedly utilizing roughly 65,000 to 95,000 infected victim devices to regularly conduct DDoS attacks that commonly measured between two to three Terabits per second. It is alleged that Rapper Bot’s largest attack may have exceeded six Terabits per second. Investigators believe that at least five infected victim devices are in Alaska and were forced to participate in attacks.

Court documents explain that DDoS attacks have grown more powerful and impact victims financially through lost revenue, disgruntled customers, resources used to respond to attacks and bandwidth usage costs. The criminal complaint details that a DDoS attack averaging over two Terabits per second lasting 30 seconds might cost a victim anywhere from $500 to $10,000. It is also alleged that some Rapper Bot customers used extortion demands, leveraging the DDoS attack volumes of the Botnet to extort victims. 

On Aug.6, 2025, law enforcement officials executed a search warrant on Foltz’ residence in Oregon. Law enforcement personnel effected the termination of Rapper Bot’s attack capabilities and obtained administrative control of Rapper Bot. Private sector partners have not reported any Rapper Bot attacks since the transfer of Botnet control to the Defense Criminal Investigative Service (DCIS).

“Rapper Bot was one of the most powerful DDoS botnets to ever exist, but the outstanding investigatory work by DCIS cyber agents and support of my office and industry partners has put an end to Foltz’s time as administrator and effectively disrupted the activities of this transnational criminal group,” said U.S. Attorney Michael J. Heyman for the District of Alaska. “Our office remains committed to disrupting and dismantling cyber criminals that threaten internet security and infrastructure in the District of Alaska and across the United States.”

“Today’s announcement highlights the ongoing efforts by law enforcement to disrupt and dismantle emerging cyber threats targeting the Department of Defense and the defense industrial base,” said Special Agent in Charge Kenneth DeChellis of the Department of Defense Office of Inspector General, DCIS, Cyber Field Office. “The Rapper Bot malware was a clear threat, and the focused efforts of DCIS, our industry partners, and the federal prosecutors at the U.S. Attorney’s Office in Alaska, sends a clear signal to those who would harm the DoD’s personnel, infrastructure, and intellectual property, that their actions will come at a cost.”

Foltz is charged with one count of aiding and abetting computer intrusions. If convicted, Foltz faces a maximum penalty of 10 years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

The DCIS is investigating the case.

Assistance was provided by the United States Attorney’s Office for the District of Oregon, Akamai, Amazon Web Services, Cloudflare, Digital Ocean, Flashpoint, Google, PayPal, and Unit 221B. This law enforcement action was taken in conjunction with Operation PowerOFF, an ongoing, coordinated effort among international law enforcement agencies aimed at dismantling criminal DDoS-for-hire infrastructures worldwide.

Assistant U.S. Attorney Adam Alexander is prosecuting the case.

A criminal complaint is merely an allegation, and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

###