A 22-year-old Oregon man has been arrested on suspicion of operating \u201cRapper Bot<\/strong>,\u201d a massive botnet used to power a service for launching distributed denial-of-service (DDoS) attacks against targets \u2014 including a March 2025 DDoS that knocked Twitter\/X offline. The Justice Department asserts the suspect and an unidentified co-conspirator rented out the botnet to online extortionists, and tried to stay off the radar of law enforcement by ensuring that their botnet was never pointed at KrebsOnSecurity.<\/p>\n The control panel for the Rapper Bot botnet greets users with the message \u201cWelcome to the Ball Pit, Now with refrigerator support,\u201d an apparent reference to a handful of IoT-enabled refrigerators that were enslaved in their DDoS botnet.<\/p>\n<\/div>\n On August 6, 2025, federal agents arrested Ethan J. Foltz<\/strong> of Springfield, Ore. on suspicion of operating Rapper Bot, a globally dispersed collection of tens of thousands of hacked Internet of Things (IoT) devices.<\/p>\n The complaint against Foltz explains the attacks usually clocked in at more than two terabits of junk data per second (a terabit is one trillion bits of data), which is more than enough traffic to cause serious problems for all but the most well-defended targets. The government says Rapper Bot consistently launched attacks that were \u201chundreds of times larger than the expected capacity of a typical server located in a data center,\u201d and that some of its biggest attacks exceeded six terabits per second.<\/p>\n Indeed, Rapper Bot was reportedly responsible<\/a> for the March 10, 2025 attack that caused intermittent outages on Twitter\/X. The government says Rapper Bot\u2019s most lucrative and frequent customers were involved in extorting online businesses \u2014 including numerous gambling operations based in China.<\/p>\n The criminal complaint was written by Elliott Peterson<\/strong>, an investigator with the Defense Criminal Investigative Service<\/strong> (DCIS), the criminal investigative division of the Department of Defense<\/strong> (DoD) Office of Inspector General. The complaint notes the DCIS got involved because several Internet addresses maintained by the DoD were the target of Rapper Bot attacks.<\/p>\n Peterson said he tracked Rapper Bot to Foltz after a subpoena to an ISP in Arizona that was hosting one of the botnet\u2019s control servers showed the account was paid for via PayPal<\/strong>. More legal process to PayPal revealed Foltz\u2019s Gmail<\/strong> account and previously used IP addresses. A subpoena to Google showed the defendant searched security blogs constantly for news about Rapper Bot, and for updates about competing DDoS-for-hire botnets.<\/p>\n According to the complaint, after having a search warrant served on his residence the defendant admitted to building and operating Rapper Bot, sharing the profits 50\/50 with a person he claimed to know only by the hacker handle \u201cSlaykings<\/strong>.\u201d Foltz also shared with investigators the logs from his Telegram chats, wherein Foltz and Slaykings discussed how best to stay off the radar of law enforcement investigators while their competitors were getting busted.<\/p>\n Specifically, the two hackers chatted about a May 20 attack against KrebsOnSecurity.com<\/a> that clocked in at more than 6.3 terabits of data per second. The brief attack was notable because at the time it was the largest DDoS that Google had ever mitigated (KrebsOnSecurity sits behind the protection of Project Shield<\/strong>, a free DDoS defense service that\u00a0Google<\/strong> provides to websites offering news, human rights, and election-related content).<\/p>\n The May 2025 DDoS was launched by an IoT botnet called Aisuru<\/strong>, which I discovered was operated by a 21-year-old man in Brazil named Kaike Southier Leite<\/strong>. This individual was more commonly known online as \u201cForky<\/strong>,\u201d and Forky told me he wasn\u2019t afraid of me or U.S. federal investigators. Nevertheless, the complaint against Foltz notes that Forky\u2019s botnet seemed to diminish in size and firepower at the same time that Rapper Bot\u2019s infection numbers were on the upswing.<\/p>\n \u201cBoth FOLTZ and Slaykings were very dismissive of attention seeking activities, the most extreme of which, in their view, was to launch DDoS attacks against the website of the prominent cyber security journalist Brian Krebs,\u201d Peterson wrote in the criminal complaint.<\/p>\n \u201cYou see, they\u2019ll get themselves [expletive],\u201d Slaykings wrote in response to Foltz\u2019s comments about Forky and Aisuru bringing too much heat on themselves.<\/p>\n \u201cProb cuz [redacted] hit krebs,\u201d Foltz wrote in reply.<\/p>\n \u201cGoing against Krebs isn\u2019t a good move,\u201d Slaykings concurred. \u201cIt isn\u2019t about being a [expletive] or afraid, you just get a lot of problems for zero money. Childish, but good. Let them die.\u201d<\/p>\n \u201cYe, it\u2019s good tho, they will die,\u201d Foltz replied.<\/p>\n The government states that just prior to Foltz\u2019s arrest, Rapper Bot had enslaved an estimated 65,000 devices globally. That may sound like a lot, but the complaint notes the defendants weren\u2019t interested in making headlines for building the world\u2019s largest or most powerful botnet.<\/p>\n Quite the contrary: The complaint asserts that the accused took care to maintain their botnet in a \u201cGoldilocks\u201d size \u2014 ensuring that \u201cthe number of devices afforded powerful attacks while still being manageable to control and, in the hopes of Foltz and his partners, small enough to not be detected.\u201d<\/p>\n The complaint states that several days later, Foltz and Slaykings returned to discussing what that they expected to befall their rival group, with Slaykings stating, \u201cKrebs is very revenge. He won\u2019t stop until they are [expletive] to the bone.\u201d<\/p>\n \u201cSurprised they have any bots left,\u201d Foltz answered.<\/p>\n \u201cKrebs is not the one you want to have on your back. Not because he is scary or something, just because he will not give up UNTIL you are [expletive] [expletive]. Proved it with Mirai and many other cases.\u201d<\/span><\/p>\n [Unknown expletives aside, that may well be the highest compliment I\u2019ve ever been paid by a cybercriminal. I might even have part of that quote made into a t-shirt or mug or something. It\u2019s also nice that they didn\u2019t let any of their customers attack my site \u2014 if even only out of a paranoid sense of self-preservation.]<\/p>\n Foltz admitted to wiping the user and attack logs for the botnet approximately once a week, so investigators were unable to tally the total number of attacks, customers and targets of this vast crime machine. But the data that was still available showed that from April 2025 to early August, Rapper Bot conducted over 370,000 attacks, targeting 18,000 unique victims across 1,000 networks, with the bulk of victims residing in China, Japan, the United States, Ireland and Hong Kong (in that order).<\/p>\n According to the government, Rapper Bot borrows much of its code from fBot<\/strong>, a DDoS malware strain also known as Satori<\/strong>. In 2020, authorities in Northern Ireland charged a then 20-year-old man<\/a> named Aaron \u201cVamp\u201d Sterritt<\/strong> with operating fBot with a co-conspirator. U.S. prosecutors are still seeking Sterritt\u2019s extradition to the United States. fBot is itself a variation of the Mirai IoT botnet<\/strong>\u00a0that has ravaged the Internet with DDoS attacks<\/a> since its source code was leaked back in 2016<\/a>.<\/p>\n The complaint says Foltz and his partner did not allow most customers to launch attacks that were more than 60 seconds in duration \u2014 another way they tried to keep public attention to the botnet at a minimum. However, the government says the proprietors also had special arrangements with certain high-paying clients that allowed much larger and longer attacks.<\/p>\n The accused and his alleged partner made light of this blog post about the fallout from one of their botnet attacks.<\/p>\n<\/div>\n Most people who have never been on the receiving end of a monster DDoS attack have no idea of the cost and disruption that such sieges can bring. The DCIS\u2019s Peterson wrote that he was able to test the botnet\u2019s capabilities while interviewing Foltz, and that found that \u201cif this had been a server upon which I was running a website, using services such as load balancers, and paying for both outgoing and incoming data, at estimated industry average rates the attack (2+ Terabits per second times 30 seconds) might have cost the victim anywhere from $500 to $10,000.\u201d<\/p>\n \u201cDDoS attacks at this scale often expose victims to devastating financial impact, and a potential alternative, network engineering solutions that mitigate the expected attacks such as overprovisioning, i.e. increasing potential Internet capacity, or DDoS defense technologies, can themselves be prohibitively expensive,\u201d the complaint continues. \u201cThis \u2018rock and a hard place\u2019 reality for many victims can leave them acutely exposed to extortion demands \u2013 \u2018pay X dollars and the DDoS attacks stop\u2019.\u201d<\/p>\n The Telegram chat records show that the day before Peterson and other federal agents raided Foltz\u2019s residence, Foltz allegedly told his partner he\u2019d found 32,000 new devices that were vulnerable to a previously unknown exploit.<\/p>\n Foltz and Slaykings discussing the discovery of an IoT vulnerability that will give them 32,000 new devices.<\/p>\n<\/div>\n Shortly before the search warrant was served on his residence, Foltz allegedly told his partner that \u201cOnce again we have the biggest botnet in the community.\u201d The following day, Foltz told his partner that it was going to be a great day \u2014 the biggest so far in terms of income generated by Rapper Bot.<\/p>\n \u201cI sat next to Foltz while the messages poured in \u2014 promises of $800, then $1,000, the proceeds ticking up as the day went on,\u201d Peterson wrote. \u201cNoticing a change in Foltz\u2019 behavior and concerned that Foltz was making changes to the botnet configuration in real time, Slaykings asked him \u2018What\u2019s up?\u2019 Foltz deftly typed out some quick responses. Reassured by Foltz\u2019 answer, Slaykings responded, \u2018Ok, I\u2019m the paranoid one.\u201d<\/p>\n The case is being prosecuted by Assistant U.S. Attorney Adam Alexander<\/strong> in the District of Alaska (at least some of the devices found to be infected with Rapper Bot were located there, and it is where Peterson is stationed). Foltz faces one count of aiding and abetting computer intrusions. If convicted, he faces a maximum penalty of 10 years in prison, although a federal judge is unlikely to award anywhere near that kind of sentence for a first-time conviction.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/rapperbotpanel.png?resize=747%2C553&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/rapperbot-mad.png?resize=750%2C610&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/rapperbot-exploit.png?resize=749%2C483&ssl=1\")
<\/p>\n