The U.S. Department of Justice has achieved a significant milestone in the fight against international cybercrime by filing formal charges against the creator and administrator of one of the most devastating DDoS botnets in recent years. The RapperBot operation, which operated under multiple aliases including Eleven Eleven and CowBot, was successfully dismantled during the comprehensive Operation PowerOff in August 2025.
RapperBot’s Origins and Technical Evolution
Security researchers at Fortinet first identified this malicious network in August 2021, though forensic analysis revealed the botnet had been operational since May of that year. Built upon the notorious Mirai malware framework, RapperBot quickly demonstrated its destructive capabilities by compromising tens of thousands of internet-connected devices across the globe.
The cybercriminals primarily targeted digital video recorders (DVRs) and routers—devices notorious for weak security configurations and infrequent firmware updates. This strategic choice enabled the threat actors to construct a robust infrastructure capable of launching massive coordinated attacks against critical systems worldwide.
Scale of Attacks and Financial Impact Assessment
The technical specifications of RapperBot reveal the staggering scope of its operations. DDoS attack volumes ranged from 2 to 6 terabits per second, generating sufficient traffic to cripple even enterprise-grade networks and government infrastructure. In 2023, the botnet operators expanded their criminal enterprise by integrating cryptocurrency mining modules, creating multiple revenue streams from compromised devices.
Investigation findings indicate that RapperBot targeted more than 18,000 entities across 80 countries. Victims included U.S. government systems, major media platforms, gaming companies, and technology corporations, demonstrating the indiscriminate nature of these cybercriminal operations.
Quantifying the Damage: Attack Statistics and Costs
Amazon Web Services, which assisted law enforcement in tracking the botnet’s command infrastructure, provided alarming statistics about the operation’s scope. Since April 2025 alone, RapperBot executed over 370,000 individual attacks utilizing more than 45,000 compromised devices spanning 39 countries. Peak attack intensities exceeded one billion packets per second.
The financial implications of these attacks are substantial. According to Department of Justice estimates, even brief DDoS attacks exceeding two terabits per second and lasting merely 30 seconds could cost victims between $500 and $10,000 in immediate damages, not accounting for long-term reputational and operational impacts.
Legal Proceedings and Defendant Profile
Federal prosecutors have charged 22-year-old Ethan Foltz from Oregon as the primary architect and administrator of the RapperBot network. Court documents allege that Foltz not only developed the malicious software but actively leased botnet access to other cybercriminals for conducting attacks against various organizations.
The defendant faces charges of aiding and abetting computer crimes, with potential sentences reaching up to 10 years in federal prison upon conviction. Foltz currently remains free on supervised release pending his scheduled court appearance.
Extortion Schemes and Threat Escalation
Law enforcement agencies express particular concern regarding the extortion tactics employed by RapperBot clients. The criminal methodology followed a predictable pattern: initial demonstration attacks would paralyze target organizations, followed by ransom demands threatening continued disruption unless payment was made.
The successful neutralization of RapperBot and the prosecution of its creator represents a crucial victory in international cybercrime enforcement efforts. This case exemplifies the effectiveness of collaboration between law enforcement agencies and private technology companies in securing cyberspace. Organizations must prioritize IoT device security by implementing regular firmware updates, strong authentication protocols, and network segmentation to prevent their systems from becoming unwitting participants in future botnet operations. The RapperBot takedown serves as both a warning to cybercriminals and a blueprint for continued success in dismantling global threat networks.
