The U.S. Department of Justice has charged the alleged developer and administrator of the RapperBot DDoS botnet, which was rented out to cybercriminals. The botnet itself was seized by law enforcement in early August as part of Operation PowerOff.
RapperBot (also known as Eleven Eleven and CowBot) was first discovered by Fortinet analysts in August 2021. At the time, it was reported that this Mirai-based botnet had been active since May 2021 and had infected tens of thousands of digital video recorders (DVRs) and routers.
The DDoS attacks carried out with its help had capacities ranging from 2 to 6 Tbps. In addition, in 2023 RapperBot was equipped with a cryptocurrency mining module, as its operator sought to diversify revenue streams and increase profits from compromised devices.
As the U.S. Department of Justice now reports, RapperBot was used to attack more than 18,000 targets in 80 countries worldwide, including U.S. government systems, major media platforms, and gaming and technology companies.
Amazon Web Services (AWS), which helped law enforcement track the botnet’s command infrastructure and provided information, reports that since April 2025 alone, RapperBot has carried out more than 370,000 attacks. The power of these attacks, which involved over 45,000 compromised devices across 39 countries, at times exceeded one billion packets per second (PPS).
Such attacks could cost victims thousands of U.S. dollars, even if they were short-lived, and often went hand in hand with extortion, the Justice Department notes.
“The indictment details that a DDoS attack with an average bandwidth of over two terabits per second, lasting 30 seconds, could cost a victim between $500 and $10,000,” the U.S. Department of Justice reports. “It is also known that some RapperBot clients engaged in extortion, using the botnet’s DDoS attacks to obtain money from victims.”
Charges of creating a botnet have now been filed against 22-year-old Ethan Foltz (Ethan Foltz) from the state of Oregon. He is believed to have created RapperBot and rented the botnet out to other threat actors who attacked various organizations.
Foltz has been charged with aiding and abetting computer crimes, which carries a maximum penalty of up to 10 years in prison if he is convicted. However, Foltz is currently free: he was served a summons requiring him to appear in court on a specified date.
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.01.27 — Zyxel firewalls reboot due to flawed update
Zyxel warned its customers that a recent signature update may cause critical errors in USG FLEX and ATP series firewalls. As a result, devices go into…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →