The powerful “Rapper Bot” Distributed Denial of Service-for-hire botnet impacted the Department of Defense Information Network (DODIN) in at least three attacks between April and August — when U.S. government authorities gained control of the disruptive malware web, two officials told DefenseScoop.
Federal prosecutors in Alaska charged 22-year-old Ethan Foltz on Tuesday for allegedly running the large-scale cyber operation since before or around 2021. Authorities ranked Rapper Bot as “among the most powerful DDoS botnets to have ever existed,” in the affidavit for the criminal complaint.
On a call with a small group of reporters shortly after the announcement, sources familiar with this investigation who requested anonymity to speak freely about it, shared new details about this massive online extortion campaign that targeted victims all over the world — including a U.S. government network, a popular social media platform and multiple technology companies.
“The Department of Defense, [and] specifically the defense industrial base, is one of the 16 critical infrastructures listed by the United States, which means we’re a big target. We get targeted by DDoS and botnet services all time. We have a very robust network defense team that handles that,” an official said.
Also known as CowBot or Eleven Eleven Botnet, Rapper Bot primarily pursued Internet of Things (IoT) computers and devices, which are embedded in equipment like iPads, appliances, digital recorders and WiFi routers.
A special agent with the Defense Criminal Investigative Service wrote in an affidavit that “Rapper Bot forces infected devices to send large amounts of internet traffic to victim computers, a type of Internet crime termed ‘Distributed Denial of Service’ because the deluge of Internet traffic can effectively deny service, i.e. the ability to communicate with the Internet, for the duration of the DDoS attack.”
The botnet infected between 65,000 and 95,000 devices to regularly conduct high-tempo DDoS attacks — the largest of which may have exceeded six terabits per second. The criminal complaint noted that a DDoS attack averaging more than two terabits per second and lasting 30 seconds can cost a victim anywhere from $500 to $10,000.
Foltz admitted to building and operating Rapper Bot for years — and sharing the profits with an accomplice he claimed to know only by the online handle “Slaykings” — when law enforcement officials served a search warrant at his Oregon residence on Aug. 6, according to officials.
The botnet allegedly conducted more than 370,000 attacks against 18,000 unique victims across 1,000 unique autonomous system numbers, from April to early August. A total of 80 nations were affected by Rapper Bot in that time period, and those DDoS assaults were most heavily concentrated in China, Japan, the United States, Ireland and Hong Kong.
“There were at least three attacks during this time period against IP addresses managed by [DOD, or] against the DODIN,” the affidavit states. “Because Rapper Bot has been in operation since at least 2021, there is a strong likelihood that there are millions of victims, in terms of infected IoT devices, as well as millions of Rapper Bot initiated DDoS attacks.”
The two officials on the call with reporters Tuesday declined to provide a total number of IoT devices that got into or compromised U.S. government networks via Rapper Bot.
However, they confirmed that there were no less than three attacks against IP addresses that are owned or operated by the DOD — such as those used for public affairs websites and other digital information resources.
“I can’t go into detail on what those in particular were, for obvious reasons. But, it depends on who the customer is and what they’re targeting. Sometimes it’s just random. Sometimes it’s very specific, very targeted, and matching with other stuff that’s going on around the world. I can’t see what this was and what the pieces were — but in this case, it was not the defense industrial base I mentioned earlier,” an official told DefenseScoop. “This was, in fact, a DOD IP address or a series of them, but I can’t go into any further detail on that.”
Foltz faces a maximum penalty of up to 10 years in prison if he’s convicted for the alleged cybercrimes.
According to the affidavit, he told the special agent leading the investigation it would likely be difficult to determine the full scope of Rapper Bot’s reach, because the command and control was configured to wipe user and attack logs approximately once a week.
“As an example of the effect attacks at this scale can have on different platforms, at least one large U.S. social media company had pronounced service outages in March 2025 that have been publicly associated with Rapper Bot,” the document stated.
On Tuesday’s call, officials said they “could not speak to” whether the sprawling botnet was responsible for the March 10, 2025, attack that caused intermittent outages on X — the social media platform owned by tech billionaire Elon Musk, who was playing a major part in the Trump administration’s disruptive Department of Government Efficiency (DOGE) initiatives at that time.
Technology companies, including Akamai, Amazon Web Services, Cloudflare, Digital Ocean, Flashpoint, Google, PayPal and Unit 221B, supplied a range of assistance and account records to support the government’s investigation into the criminal DDoS-for-hire campaign.
“This is an extremely challenging threat space to address and effectively disrupt,” an official told reporters on the call.
Source link
