Alleged Rapper Bot DDoS botnet master arrested, charged
US federal prosecutors have charged a man with running Rapper Bot, a powerful botnet that was rented out to launch large-scale distributed denial-of-service (DDoS) attacks around the world.
According to court documents, 22-year-old Ethan Foltz of Eugene, Oregon, is accused of developing and managing the Rapper Bot botnet, which also went by other names, including “Eleven Eleven Botnet” and “CowBot”.
Investigators say Rapper Bot infected internet-connected devices such as digital video recorders and WiFi routers. The botnet was created by using a variant of Mirai, malware that remains a common tool for building botnets.
Court filings claim the botnet was used in more than 370,000 attacks since April 2025. Investigators say the attacks hit at least 18,000 different targets in more than 80 countries. Those included a US government network, a popular social media platform, and several American technology companies.
Rapper Bot allegedly consisted of between 65,000 and 95,000 infected devices at any given time. The attacks commonly reached speeds of two to three terabits per second, a level that can overwhelm even well-defended networks. In one case, the botnet may have reached six terabits per second, which is considered massive by current standards.
The criminal complaint notes that a 30-second DDoS attack at that scale could cost a victim anywhere from $500 to $10,000, depending on the impact. While DDoS attacks can be used to harass or protest, they are often tied to money-making schemes. Victims may be told that the attacks will stop only if they pay, a practice known as DDoS extortion. The complaint against Foltz suggests that some Rapper Bot customers used the system this way.
On August 6, 2025, federal agents executed a search warrant at Foltz’s home in Oregon. Officials also seized control of Rapper Bot and disabled it. Since the takeover, no new Rapper Bot attacks have been reported by the private sector, according to investigators.
Foltz faces one federal charge of aiding and abetting computer intrusions. If convicted, he could be sentenced to as many as 10 years in prison.
The arrest marks the latest in a series of cases targeting the operators of so-called booter and stresser services, which let people pay to knock websites or networks offline with rented DDoS power.