The Rapper Bot (also known as CowBot or Eleven Eleven Botnet), a high-scale DDoS-for-hire botnet, executed at least three targeted attacks on the Department of Defense Information Network (DODIN) between April and August 2025. Operated by Ethan Foltz, the botnet infected 65,000–95,000 IoT devices, launching attacks exceeding 6 terabits per second, capable of crippling critical communication infrastructure. The assaults disrupted DOD-managed IP addresses, including public affairs websites and digital resources, though officials declined to specify exact systems affected. While no data breach was confirmed, the attacks posed a direct threat to national security infrastructure, given the DoD’s role in critical U.S. defense operations. The botnet’s scale 370,000+ attacks across 18,000 victims in 80 nations highlighted its potential to destabilize military and government networks. Authorities seized control in August 2025, but the persistent targeting of a vital defense network underscored the severity of the cyber threat, with implications for geopolitical stability and warfare capabilities.
Source: https://defensescoop.com/2025/08/20/rapper-bot-hit-pentagon-dodin-in-at-least-3-cyber-attacks/
TPRM report: https://www.rankiteo.com/company/disadod
"id": "dis3462034091425",
"linkid": "disadod",
"type": "Cyber Attack",
"date": "4/2025",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': 'Defense/Military',
'location': 'USA',
'name': 'U.S. Department of Defense (DOD)',
'type': 'Government Agency'},
{'industry': 'Technology',
'location': 'USA',
'name': 'X (formerly Twitter)',
'type': 'Social Media Platform'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Unnamed Technology Companies (e.g., Akamai, '
'AWS, Cloudflare, etc.)',
'type': ['Cloud Services', 'Cybersecurity Firms']},
{'industry': 'Multiple',
'location': ['China',
'Japan',
'USA',
'Ireland',
'Hong Kong',
'80+ Nations'],
'name': 'Global IoT Device Owners',
'size': '65,000–95,000 infected devices',
'type': 'Individuals/Organizations'}],
'attack_vector': ['IoT Device Exploitation',
'DDoS-for-Hire Services',
'Command-and-Control (C2) Infrastructure'],
'date_publicly_disclosed': '2025-08-06',
'date_resolved': '2025-08-06',
'description': "The 'Rapper Bot' DDoS-for-hire botnet, allegedly operated by "
'Ethan Foltz (22), conducted large-scale DDoS attacks between '
'April and August 2025, targeting the U.S. Department of '
'Defense Information Network (DODIN), a major U.S. social '
'media platform, and thousands of global victims. The botnet '
'infected 65,000–95,000 IoT devices, executing over 370,000 '
'attacks across 80 nations, with peak traffic exceeding 6 '
'Tbps. Authorities disrupted the operation in August 2025, '
'arresting Foltz and seizing control of the botnet’s '
'infrastructure. The attacks caused service outages, financial '
'losses, and operational disruptions, particularly in China, '
'Japan, the U.S., Ireland, and Hong Kong.',
'impact': {'brand_reputation_impact': ['Erosion of Trust in DOD Cyber '
'Defenses',
'Negative Publicity for Affected '
'Social Media Platform'],
'downtime': ['Intermittent outages (e.g., March 2025 social media '
'disruption)',
'Duration varied by attack (some lasted 30+ seconds)'],
'financial_loss': 'Estimated $500–$10,000 per 2+ Tbps attack '
'(30-second duration); total losses undisclosed',
'legal_liabilities': ['Criminal Charges Against Ethan Foltz '
'(10-year maximum penalty)',
'Potential Civil Lawsuits from Victims'],
'operational_impact': ['Denial of Service for DOD Digital '
'Resources',
'Disruption of Public-Facing Government '
'Services',
'Service Degradation for Technology '
'Companies'],
'systems_affected': ['DODIN IP Addresses (e.g., public affairs '
'websites)',
'U.S. Social Media Platform (e.g., X/Twitter, '
'March 2025 outages)',
'Global IoT Devices (65,000–95,000 '
'infected)']},
'initial_access_broker': {'entry_point': ['Exploited IoT Devices (e.g., '
'iPads, WiFi routers, digital '
'recorders)'],
'high_value_targets': ['DODIN IP Addresses',
'U.S. Social Media Platforms',
'Technology Companies']},
'investigation_status': 'Ongoing (Operator Arrested; Botnet Disrupted)',
'lessons_learned': ['IoT devices remain a critical attack vector for '
'large-scale botnets due to weak security controls.',
'DDoS-for-hire services enable low-skill threat actors to '
'launch high-impact attacks.',
'Weekly log wiping by botnet operators complicates '
'forensic investigations and victim notification.',
'Critical infrastructure (e.g., DODIN) requires '
'continuous monitoring and adaptive defenses against '
'volumetric attacks.'],
'motivation': ['Financial Profit',
'Disruption of Critical Infrastructure',
'Extortion'],
'post_incident_analysis': {'corrective_actions': ['DODIN enhanced network '
'segmentation and traffic '
'filtering.',
'Collaboration with tech '
'firms (e.g., Cloudflare) '
'to mitigate future '
'attacks.',
'Public awareness campaigns '
'on IoT security risks.'],
'root_causes': ['Proliferation of insecure IoT '
'devices with default credentials.',
'Lack of attribution mechanisms '
'for DDoS-for-hire customers '
"(e.g., 'Slaykings').",
'Insufficient log retention by '
'botnet operators, hindering '
'victim identification.']},
'recommendations': ['Implement stricter IoT device security standards (e.g., '
'mandatory password changes, firmware updates).',
'Enhance DDoS mitigation capabilities for government '
'networks, including real-time traffic analysis.',
'Strengthen international cooperation to dismantle '
'cybercrime-as-a-service platforms.',
'Develop automated systems to preserve botnet attack logs '
'despite operator countermeasures.'],
'references': [{'source': 'DefenseScoop'},
{'source': 'U.S. Department of Justice (Criminal Complaint '
'Affidavit)'},
{'source': 'Federal Prosecutors in Alaska (Press Release)'}],
'regulatory_compliance': {'legal_actions': ['Criminal Complaint Filed in '
'Alaska (Ethan Foltz)',
'Potential Violations of Computer '
'Fraud and Abuse Act (CFAA)']},
'response': {'communication_strategy': ['Press Briefing with Anonymous '
'Officials',
'Public Affidavit Release'],
'containment_measures': ['Seizure of Botnet Command-and-Control '
'Infrastructure',
'Arrest of Operator (Ethan Foltz)'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'remediation_measures': ['Disruption of C2 Servers',
'Forensic Analysis of Infected Devices'],
'third_party_assistance': ['Akamai',
'Amazon Web Services (AWS)',
'Cloudflare',
'Digital Ocean',
'Flashpoint',
'Google',
'PayPal',
'Unit 221B']},
'stakeholder_advisories': ['DOD issued internal guidance on IoT security '
'post-incident.'],
'threat_actor': {'accomplices': ["'Slaykings' (online handle, identity "
'unknown)'],
'location': 'Oregon, USA',
'motivation': ['Financial Gain', 'Cybercrime-as-a-Service'],
'name': 'Ethan Foltz'},
'title': 'Rapper Bot (CowBot/Eleven Eleven Botnet) DDoS Attacks on DODIN and '
'Global Targets',
'type': ['Distributed Denial of Service (DDoS)', 'Botnet', 'Cyber Extortion'],
'vulnerability_exploited': ['Weak IoT Device Security (e.g., default '
'credentials, unpatched firmware)',
'Lack of Network Segmentation in Targeted '
'Systems']}