Cybercrime,
Fraud Management & Cybercrime
Oregon Man Charged for Operating DDoS Attack Service
Federal authorities have charged a 22-year-old from Oregon for operating a sophisticated, on-demand distributed denial-of-service (DDoS) attack service known as “Rapper Bot.” Prosecutors allege that the service facilitated massive online disruptions since early 2021.
The Rapper Bot, which has also been referred to as the Eleven Eleven Botnet or CowBot, utilized millions of compromised Internet of Things devices—such as digital video recorders and WiFi routers— to bombard targeted websites with excessive data traffic. Court documents indicate that the botnet consistently executed attacks that peaked at over 6 terabits per second, impacting entities across 80 countries.
Named in the indictment, Ethan J. Foltz faces a single count of aiding and abetting computer intrusions, potentially leading to a 10-year prison sentence. Formed around January 2021, Rapper Bot was designed for high-volume attacks, causing significant financial harm to its victims, with attack costs ranging between $500 and $10,000 depending on the scale.
Cybersecurity firm Qi An Xin Technology Group reported that Rapper Bot disrupted platforms such as DeepSeek and X this year, with indications that operators began extorting victims for payment to avoid being targeted. This evolution reflects a growing trend among DDoS as a service providers where threats are coupled with demands for ‘protection fees.’
Notably, the botnet is built on a variant of the widely known Mirai malware, which gained infamy in 2016 for its role in high-profile attacks against major websites like Amazon and Twitter. The Mirai source code was leaked online, enabling the proliferation of similar botnets.
Investigations reveal that Rapper Bot was likely leveraging tactics from the MITRE ATT&CK framework, particularly in the areas of initial access through compromised devices, and persistent operations utilizing the botnet’s infrastructure. The botnet reportedly had between 65,000 and 95,000 infected devices, enabling a 2 to 3 terabit per second attack baseline.
The U.S. Department of Defense is heading the investigation, which connects Rapper Bot to various attacks against organizations providing internet services to the Pentagon. The operation is part of a broader initiative, Operation PowerOFF, targeting DDoS-for-hire schemes globally. Even as some providers are apprehended, new operators continue to emerge, underscoring the persistent threat posed by this form of cybercrime.
As evidenced by ongoing developments, businesses must remain vigilant and adopt proactive cybersecurity measures to defend against such threats. The landscape of cybercrime is continually evolving, and understanding the tactics employed in these attacks is critical for effective risk management.
