CyberHappenings logo
🏠 Home 📂 Browse ℹ️ About

RapperBot Botnet Administrator Charged in the US

First reported
Last updated
📰 2 unique sources, 2 articles

Summary

Hide ▲

A 22-year-old man from Oregon has been charged with developing and operating the RapperBot botnet, which has conducted over 370,000 DDoS attacks against 18,000 unique victims in 80 countries since 2021. The botnet, also known as Eleven Eleven Botnet and CowBot, primarily targets Digital Video Recorders (DVRs) and Wi-Fi routers. The botnet was seized by law enforcement on August 6, 2025, as part of Operation PowerOFF, an international effort to dismantle DDoS-for-hire infrastructures. The botnet's firepower ranged between 2 to 6 Tbps, and it has been used for cryptojacking and extortion.

Timeline

  1. 20.08.2025 07:19 📰 2 articles

    RapperBot botnet administrator charged in the US

    A 22-year-old man from Oregon has been charged with developing and operating the RapperBot botnet, which has conducted over 370,000 DDoS attacks against 18,000 unique victims in 80 countries since 2021. The botnet, also known as Eleven Eleven Botnet and CowBot, primarily targets Digital Video Recorders (DVRs) and Wi-Fi routers. The botnet was seized by law enforcement on August 6, 2025, as part of Operation PowerOFF, an international effort to dismantle DDoS-for-hire infrastructures. The botnet's firepower ranged between 2 to 6 Tbps. Rapper Bot targeted over 18,000 entities across 80 countries, including U.S. government systems, major media platforms, gaming companies, and large tech firms. In 2023, Rapper Bot added a cryptomining module to diversify its revenue stream and maximize profits from compromised devices. Since April 2025, Rapper Bot launched 370,000 attacks, ranging from several terabits to over 1 billion packets per second (pps), with the power coming from more than 45,000 compromised devices across 39 countries. DDoS attacks averaging over two Terabits per second lasting 30 seconds might cost a victim anywhere from $500 to $10,000. Some Rapper Bot customers used extortion demands, leveraging the DDoS attack volumes of the botnet to extort victims. Foltz was charged with aiding and abetting computer intrusions, which carries a maximum sentence of up to ten years in prison if convicted. Foltz remains free and was issued a summons following the filing of the criminal complaint. The Rapper Bot has not shown any signs of resurgence in malicious activity following the seizure of its infrastructure by the authorities on August 6.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Cloudflare mitigates 11.5 Tbps UDP flood DDoS attack

Cloudflare recently mitigated the largest recorded volumetric DDoS attack, peaking at 11.5 Tbps. The attack was a UDP flood primarily originating from a combination of several IoT and cloud providers, including Google Cloud. It lasted approximately 35 seconds. Cloudflare has seen a significant increase in DDoS attacks, with a 198% quarter-over-quarter increase and a 358% year-over-year jump in 2024. The company mitigated 21.3 million DDoS attacks targeting its customers and 6.6 million attacks targeting its own infrastructure during an 18-day multi-vector campaign in 2024. The most significant spike was seen by network-layer attacks, which saw a 509% year-over-year increase since the start of 2025. The attack was part of a series of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. The attack was conducted by sending requests from botnets that had infected devices with malware. The RapperBot kill chain targets network video recorders (NVRs) and other IoT devices for DDoS attacks. The malware exploits security flaws in NVRs to gain initial access and download the payload, using a path traversal flaw to leak valid administrator credentials and push a fake firmware update. The malware establishes an encrypted connection to a C2 domain to receive commands for launching DDoS attacks and can scan the internet for open ports to propagate the infection. The attackers' methodology involves scanning the internet for old edge devices and brute-forcing or exploiting them to execute the botnet malware. Google's abuse defenses detected the attack, and they followed proper protocol in customer notification and response. Cloudflare has been automatically mitigating hundreds of hyper-volumetric DDoS attacks in recent weeks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps. Volumetric attacks typically aim to overwhelm servers or networks, causing them to slow or shut down completely. The attack's short duration of 35 seconds highlights that size alone is not the most critical metric for evaluating DDoS attacks. The complexity and persistence of an attack, along with its impact on users, are more important metrics for DDoS defense. A DDoS mitigation service provider in Europe was targeted in a 1.5 Bpps denial-of-service attack. The attack originated from thousands of IoTs and MikroTik routers and was mitigated by FastNetMon. The attack was primarily a UDP flood launched from compromised customer-premises equipment (CPE), including IoT devices and routers, across more than 11,000 unique networks worldwide. The attack was detected in real-time, and mitigation action was taken using the customer's DDoS scrubbing facility. FastNetMon's founder, Pavel Odintsov, called for ISP-level intervention to stop the weaponization of compromised consumer hardware. The attack was one of the largest packet-rate floods publicly disclosed.

Open in new tab

BlackSuit Ransomware Infrastructure Disrupted by Law Enforcement

Law enforcement agencies from the US and several international partners disrupted the BlackSuit ransomware group. The operation, led by the Department of Homeland Security's Homeland Security Investigations (HSI), took down four servers, nine domains, and seized over $1 million in cryptocurrency. BlackSuit, also known as Royal, has targeted over 450 victims in the US, including critical infrastructure sectors such as energy, healthcare, and government entities. The operation aimed to disrupt the ransomware ecosystem and hold cybercriminals accountable. The takedown occurred on July 24, 2025, and involved multiple US agencies and international partners. The operation is part of a broader campaign to dismantle ransomware operations and protect critical infrastructure.

Open in new tab