A 22-year-old Eugene man has been accused of developing one of the world’s most powerful hacking networks and renting it out to others to conduct large-scale cyberattacks targeting victims – including Elon Musk’s social media site X — in more than 80 countries.
Ethan J. Foltz was identified as the administrator of the Rapper Bot that infected digital video recorders, Wi-Fi routers or other computers with malware in the U.S. as well in China, Japan and Ireland, according to a federal complaint filed Tuesday in U.S. District Court in Alaska.
Rapper Bot clients would then issue commands to the infected devices to send large volumes of traffic to victim computers and servers, prosecutors allege in the complaint.
Such attacks cause companies lost revenue, loss of customers and added expenses to respond to attacks. The complaint also alleges that some Rapper Bot customers leveraged attack volumes to extort the companies affected.
Elliott R. Peterson, an agent with the U.S. Department of Defense’s Office of Inspector General, said the Rapper Bot was a variant that evolved from malware called Mirai that had been published on a Hackforums website in 2016. The administrators of the Mirai malware were prosecuted and convicted in federal court in Alaska.
The complaint claims that Rapper Bot was used in more than 370,000 attacks with at least 18,000 victims.
But investigators suspect the number of victims is in the millions because the bot has operated at least since 2021, Peterson wrote in the affidavit in support of the complaint.
The complaint references public reports about a social media site that was the victim of a cyberattack in March as an alleged victim. Musk’s site was taken down by a cyberattack in March. At the time Musk made claims about the attack being done by a “large, coordinated group and/or a country.”
Rapper Bot has been in operation since at least 2021, the complaint said.
The cyberattacks compromised internet sites and systems by flooding them with an enormous amount of traffic, causing them to slow down or crash, Peterson wrote.
“I believe that Rapper Bot, with roughly 65,000 to 95,000 victim devices, regularly conducted attacks that commonly measured between 2 and 3 terabits per second, or hundreds of times larger than the expected capacity of a typical server located in a data center. Rapper Bot’s largest attacks may have exceeded 6 Terabits per second,” Peterson wrote.
“This would place Rapper Bot among the most powerful DDoS (Distributed denial of service) botnets to have ever existed,” he wrote.
Peterson began investigating Rapper Bot after learning that a number of devices affected were in Alaska and were targeting internet companies providing service to the U.S. Department of Defense, the complaint says.
Federal investigators searched Foltz’s home in Eugene on Aug. 6 and interviewed him there.
In a recorded interview, Foltz said he was the primary administrator of Rapper Bot, which he nicknamed “CowBot” and that his primary partner was someone he knew only as “SlayKings,” the affidavit says.
On Telegram, Foltz used the handle, “Special Agent William Stevens Johnson III,” the affidavit says.
According to the interview, only Foltz and “Slaykings” had privileges to execute large-scale attacks.
Foltz also was asked about the attack on the social media company X in March and acknowledged the attack, saying he had suspended the Rapper Bot customers from his service who had launched it, the affidavit says.
Federal investigators halted Rapper Bot’s attack capabilities and obtained administrative control of it, according to the affidavit.
Foltz is charged with aiding and abetting computer intrusions. He remains out of custody but has been issued a summons to appear in federal court in Anchorage in the District of Alaska. Foltz, who does not appear to have any prior criminal record, could not be immediately reached for comment. A relative in Eugene Tuesday declined comment.
“Today’s announcement highlights the ongoing efforts by law enforcement to disrupt and dismantle emerging cyber threats targeting the Department of Defense and the defense industrial base,” federal agent Kenneth DeChellis said in a statement. He is in charge of the cyber field office of the Defense Department’s criminal investigative service.
— Maxine Bernstein covers federal court and criminal justice. Reach her at 503-221-8212, mbernstein@oregonian.com, follow her on X @maxoregonian, on Bluesky @maxbernstein.bsky.social or on LinkedIn.
If you purchase a product or register for an account through a link on our site, we may receive compensation. By using this site, you consent to our User Agreement and agree that your clicks, interactions, and personal information may be collected, recorded, and/or stored by us and social media and other third-party partners in accordance with our Privacy Policy.
