A coordinated law enforcement effort has disrupted the operation of Rapper Bot, a major DDoS botnet that has been linked to hundreds of thousands of cyberattacks worldwide. The botnet, also known as Eleven Eleven Botnet and CowBot, targeted a wide range of victims and relied on a vast number of compromised devices to launch high-volume attacks. With activity traced back to at least 2021, the investigation has pointed to a 22-year-old Oregon resident as the alleged creator and primary administrator of Rapper Bot. Major technology firms, including Akamai, Amazon Web Services, Cloudflare, Digital Ocean, Flashpoint, Google, PayPal, and Unit 221B, collaborated with agencies during the investigation, showcasing the growing necessity for public-private partnerships in cybercrime mitigation. Taking control of the botnet limits its immediate threat, though its extensive reach signals the ongoing risk presented by large-scale IoT-based attacks.
Reports from earlier months indicated repeated surges in high-capacity distributed denial-of-service (DDoS) events attributed to unknown botnets, but authorities were initially unable to pinpoint the operators behind the attacks. Over time, analysts noted that the attack patterns matched tactics used by Mirai-derived malware, mirroring trends observed in previous major botnet disruptions. The coordinated response in the present case used new digital forensics techniques, including tracing online payments and cross-account activity, tactics that had seen varied levels of success in prior botnet investigations.
How Was Rapper Bot Identified and Disrupted?
Officials traced Rapper Bot’s activity through digital evidence, including ties to hosting providers and payment accounts. A search warrant executed at the residence of Ethan Foltz of Eugene, Oregon, revealed his involvement, as officials connected his PayPal activity and email logins to the botnet. Reflecting on the investigation, a special agent involved stated,
“Because Rapper Bot has been in operation since at least 2021, there is a strong likelihood that there are millions of victims, in terms of infected IoT devices, as well as millions of Rapper Bot initiated DDoS attacks.”
The disruption came after Foltz acknowledged his central role and provided information about other individuals associated with the operation.
What Devices and Targets Did Rapper Bot Impact?
The botnet amassed control of approximately 65,000 to 95,000 internet-connected DVRs and Wi-Fi routers, using them to initiate over 370,000 DDoS incidents against 18,000 targets. These attacks, some exceeding six terabits per second, were focused mainly on China, Japan, the United States, Ireland, and Hong Kong. The scope and volume of affected hardware underscores the security vulnerabilities present in globally deployed consumer and commercial IoT devices, and the significant bandwidth available for illicit cyber operations.
How Did Investigators Link Foltz to Rapper Bot Operations?
Court documents describe how investigators correlated PayPal records, Gmail access, and hosting provider logs, even noting access patterns despite the use of VPNs. Records indicated that after court orders, companies like Google and PayPal provided data that identified Foltz as the controller of critical botnet resources. During questioning, Foltz is reported to have admitted to his role and to having worked alongside another individual known online as “SlayKings”, stating the botnet code was adapted from Mirai, Tsunami, and fBot. Upon police request, he cooperated further by disabling the botnet and handing over administrative controls. Foltz reportedly remarked,
“I was the primary administrator of Rapper Bot.”
Rapper Bot’s structure and operations reflect ongoing challenges for cybersecurity professionals, as increasingly powerful botnets exploit large-scale unsecured networks. Deployment of botnets with code bases derived from Mirai and similar malware remains a pressing issue, with threat actors frequently blending old tactics with new tools. The case also reveals the critical role of digital evidence and partnerships among law enforcement and private companies in tracking and mitigating these cyber threats. As botnets evolve, proactive identification and timely intervention remain crucial for minimizing their long-term impacts. It is important for IoT device owners and organizations to implement regular firmware updates, limit unnecessary internet exposure, and use robust credentials to reduce their risk of device compromise.
