Oregon Man Arrested for Operating RapperBot DDoS Service That May Have Attacked X (Twitter)
Published
- U.S. hacker: A young individual was arrested on suspicion of operating a DDoS botnet focusing on high-profile targets.
- Identity revealed: Authorities traced botnet control servers to an ISP account paid through PayPal.
- Attacks in 2025: RapperBot reportedly conducted over 370,000 attacks on 18,000 unique victims from April to August.
Federal authorities have arrested an individual in connection with operating RapperBot, a sophisticated distributed denial-of-service (DDoS) botnet allegedly responsible for launching at least 370,000 cyberattacks against high-profile targets across 80 countries.
The Arrest and Investigation
Ethan J. Foltz, 22, of Springfield, Oregon, was arrested on August 6, 2025, following an extensive cybercrime investigation led by the Defense Criminal Investigative Service (DCIS), the criminal investigative division of the Department of Defense (DoD) Office of Inspector General.
Several Internet addresses maintained by the DoD were the target of Rapper Bot attacks, the federal complaint says.
The federal complaint reveals that Foltz operated the RapperBot DDoS-for-hire service alongside an unidentified co-conspirator known by the handle "Slaykings," splitting profits equally from their criminal enterprise.
The investigation unfolded after authorities traced botnet control servers to an Arizona ISP account paid through PayPal.
Subsequent legal processes to PayPal and Google revealed Foltz's identity through his Gmail account and search history, which showed consistent monitoring of security blogs for news about RapperBot and competing DDoS operations.
“Both FOLTZ and Slaykings were very dismissive of attention-seeking activities, the most extreme of which, in their view, was to launch DDoS attacks against the website of the prominent cybersecurity journalist Brian Krebs,” DCIS investigator Elliott Peterson wrote in the criminal complaint.
Krebs also reported on the arrest and evaluated that the May 2025 DDoS was launched by the Aisuru IoT botnet operated by a Brazilian man, Kaike Southier Leite, known online as “Forky.”
Botnet Operations and Capabilities
RapperBot represented a formidable DDoS botnet comprising approximately 65,000 compromised Internet of Things (IoT) devices globally. The botnet's primary customers were online extortionists, particularly those targeting Chinese gambling operations, according to the complaint.
The criminal operation consistently launched attacks exceeding 2 Terabits per second, with some reaching over 6 Terabits per second—hundreds of times larger than typical server capacities. The defendants maintained a deliberate "Goldilocks" strategy, keeping their botnet large enough for powerful attacks while remaining manageable and theoretically undetectable.
Foltz admitted to wiping the user and attack logs approximately once a week; however, investigators discovered that from April to August 2025, RapperBot conducted over 370,000 attacks targeting 18,000 unique victims across 1,000 networks.
It is alleged that Rapper Bot targeted victims in over 80 countries, including “a U.S. government network, a popular social media platform, and many U.S. tech companies.” The attacks reportedly included the March 2025 attack that temporarily knocked X (formerly Twitter) offline.
RapperBot borrows much of its code from fBot, a DDoS malware strain also known as Satori and a variation of the Mirai IoT botnet.
Legal Consequences and Impact
Foltz faces charges of aiding and abetting computer intrusions, carrying a maximum penalty of 10 years in prison.
The case demonstrates the sophisticated nature of modern cybercriminal operations and the extensive financial damage such attacks inflict on victims, with individual attacks potentially costing targets between $500 and $10,000 in direct expenses alone.
Last month, Google sued the operators of the BadBox 2.0 botnet, which infected 10 million Android devices, and NoName057(16) was dismantled in a global crackdown.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular