Between April and August 2025, a potent botnet known as “Rapper Bot” successfully executed at least three Distributed Denial of Service (DDoS) attacks against the Department of Defense Information Network (DODIN), U.S. officials confirmed this week. The malware network, also known by aliases like CowBot and Eleven Eleven Botnet, was dismantled by U.S. authorities earlier this month.
Federal prosecutors in Alaska charged 22-year-old Ethan Foltz with allegedly operating the botnet-for-hire platform that enabled widespread cyber extortion.
According to a criminal affidavit, Rapper Bot infected up to 95,000 vulnerable IoT devices.
Routers, digital recorders, and consumer electronics were used to flood targets with internet traffic that overwhelmed their systems.
The attacks targeted a wide spectrum of entities, from social media companies and tech firms to the U.S. government. While officials declined to offer specific details about the Pentagon’s compromised IPs, they confirmed that the incidents did not affect critical defense industrial base infrastructure and were not random.
Why It Matters: The Rapper Bot investigation is a prime example of the national security risks posed by unsecured IoT devices and the growing threat of cybercrime-as-a-service. DDoS-for-hire operations can disrupt essential services and government functions globally, with devastating speed and scale. The involvement of a young domestic operator and the use of evasive log-wiping techniques point to the increasing accessibility of cybercrime tools and the need for stronger, coordinated defenses.
- Direct Pentagon Targeting Confirmed: U.S. authorities verified that at least three DDoS attacks impacted Department of Defense-owned IP addresses. These included websites related to public affairs and other non-classified resources, though officials would not disclose precise targets.
- Global Attack Footprint: From April through early August 2025, Rapper Bot launched more than 370,000 DDoS attacks on 18,000 distinct victims across 80 countries. The most targeted regions included China, Japan, the United States, Ireland, and Hong Kong.
- Extreme Scale and Disruption: One documented DDoS event generated more than six terabits per second of traffic, making Rapper Bot one of the most powerful botnets in history. An average 30-second attack at just two terabits per second could cost victims up to $10,000.
- Botnet Operator Identified and Charged: Ethan Foltz allegedly built and operated Rapper Bot for years, sharing proceeds with an unidentified online associate known only as “Slaykings.” During a search of Foltz’s residence, he admitted to controlling the botnet and its financial operations.
- Tech Industry Aided Investigation: Major technology firms, including Amazon Web Services, Google, Cloudflare, and PayPal, supplied intelligence and account records, aiding U.S. law enforcement in mapping and dismantling the botnet infrastructure.
- Systematic Concealment Tactics: The botnet’s command and control servers were programmed to erase logs weekly, making forensic analysis difficult. Officials believe millions of devices were likely infected, and millions more DDoS attempts may have gone undetected over the years.
Go Deeper -> ‘Rapper Bot’ hit the Pentagon in at least 3 cyberattacks – DefenseScoop
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
