Officials gain control of Rapper Bot DDoS botnet, charge lead developer and administrator

Authorities claim they’ve gained control of Rapper Bot and stopped attacks emanating from what they described as “among the most powerful DDoS botnets to have ever existed.” 

The takeover and effective disruption of the botnet, also known as Eleven Eleven Botnet and CowBot, occurred after officials identified and served a warrant at the Oregon residence of a 22-year-old man who allegedly developed and ran the operation since at least 2021.

Ethan Foltz of Eugene, Ore., was charged with one count of aiding and abetting computer intrusions in the U.S. District Court for the District of Alaska on Tuesday. He faces a maximum penalty of up to 10 years in prison, the Justice Department said.

Rapper Bot allegedly conducted more than 370,000 attacks, targeting 18,000 unique victims across 1,000 unique autonomous system numbers from April to early August, according to officials. 

The botnet, which primarily infected digital video recorders and Wi-Fi routers, infected between 65,000 and 95,000 devices to regularly conduct high-tempo DDoS attacks. Officials said Rapper Bot regularly conducted DDoS attacks measured between two to three terabits per second, adding that Rapper Bot’s largest attack may have exceeded six terabits per second.

Rapper Bot attacks impacted 80 countries, with DDoS attacks most heavily concentrated in China, Japan, the United States, Ireland and Hong Kong, officials said.

“Because Rapper Bot has been in operation since at least 2021, there is a strong likelihood that there are millions of victims, in terms of infected IoT devices, as well as millions of Rapper Bot initiated DDoS attacks,” a special agent with the Defense Criminal Investigative Service said in an affidavit for the criminal complaint against Foltz.

Investigators traced the botnet to Foltz after linking the botnet’s hosting provider to a PayPal account. Under court order, PayPal sent records to investigators indicating Foltz controlled the account and shared email addresses he associated with the account. Investigators said they determined the same IP address was used to access Foltz’s Gmail, PayPal and internet service provider simultaneously, despite his apparent use of VPN services.

Google accounts linked to Foltz revealed extensive evidence linking him to Rapper Bot, according to investigators. Foltz conducted searches for “RapperBot” and “Rapper Bot” more than 100 times, and sometimes after conducting these searches he viewed cybersecurity blogs, indicating he might have been monitoring what was known about the botnet in real time, officials said in the court documents.

DCIS served a warrant at Foltz’s residence in Oregon on Aug. 6, and during a recorded interview “Foltz stated that he was the primary administrator of Rapper Bot.” Foltz also named his primary partner as a person he only knew as “SlayKings,” adding that the botnet code was derived from the Mirai, Tsunami and fBot botnets.

Upon an official’s request, Foltz terminated Rapper Bot’s outbound attack capabilities and passed the administrative control of Rapper Bot to DCIS personnel. Foltz hasn’t been arrested but officials familiar with the case said they’ve requested summons in this case.

Akamai, Amazon Web Services, Cloudflare, Digital Ocean, Flashpoint, Google, PayPal and Unit 221B assisted law enforcement with the investigation.