Twitter/X (now rebranded as X) suffered a massive distributed denial-of-service (DDoS) attack on March 10, 2025, orchestrated by the Rapper Bot botnet, operated by Ethan J. Foltz and an unidentified co-conspirator. The attack, exceeding two terabits per second, caused intermittent global outages, disrupting services for millions of users. The botnet, comprising tens of thousands of hacked IoT devices, overwhelmed Twitter/X’s infrastructure, leading to downtime, financial losses from mitigation efforts (estimated between $500–$10,000 per attack at scale), and reputational damage. While no data breach occurred, the attack demonstrated the platform’s vulnerability to extortion-driven cybercrime, as Rapper Bot was primarily rented to online extortionists targeting gambling operations and businesses. The incident also highlighted the broader threat of DDoS-for-hire services, which exploit weak IoT security to cripple high-profile targets. Twitter/X’s outage, though temporary, underscored the operational and financial risks posed by large-scale DDoS attacks, particularly when leveraged for criminal extortion schemes.
Source: https://krebsonsecurity.com/2025/08/oregon-man-charged-in-rapper-bot-ddos-service/
TPRM report: https://www.rankiteo.com/company/twitter
"id": "twi523082025",
"linkid": "twitter",
"type": "Cyber Attack",
"date": "3/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Millions (indirect impact due '
'to outages)',
'industry': 'Technology/Social Media',
'location': 'Global (HQ: San Francisco, California, '
'U.S.)',
'name': 'Twitter/X',
'size': 'Large (Public Company)',
'type': 'Social Media Platform'},
{'industry': 'Gambling/Entertainment',
'location': 'China',
'name': 'Unnamed Chinese Gambling Operations',
'type': 'Online Gambling Platforms'},
{'industry': 'Defense/Military',
'location': 'United States',
'name': 'U.S. Department of Defense (DoD)',
'size': 'Large',
'type': 'Government Agency'},
{'industry': 'Various (primarily in China, Japan, U.S., '
'Ireland, Hong Kong)',
'location': 'Global',
'name': '18,000 Unique Victims',
'type': ['Businesses',
'Organizations',
'Individuals']}],
'attack_vector': ['IoT Device Exploitation',
'DDoS-for-Hire Service',
'Botnet Malware (Rapper Bot, derived from fBot/Mirai)'],
'customer_advisories': ['Twitter/X users notified of March 2025 outage',
'General public advised on IoT security best '
'practices'],
'date_publicly_disclosed': '2025-08-06',
'description': 'A 22-year-old Oregon man, Ethan J. Foltz, was arrested for '
"operating 'Rapper Bot,' a massive botnet used to launch "
'distributed denial-of-service (DDoS) attacks, including a '
'March 2025 attack that knocked Twitter/X offline. The botnet, '
'comprising tens of thousands of hacked IoT devices, was '
'rented out to online extortionists, primarily targeting '
'gambling operations in China. Foltz and an unidentified '
"co-conspirator ('Slaykings') avoided law enforcement "
'attention by refraining from attacking high-profile targets '
'like KrebsOnSecurity. The botnet conducted over 370,000 '
'attacks between April and August 2025, targeting 18,000 '
'unique victims across 1,000 networks, with most victims in '
'China, Japan, the U.S., Ireland, and Hong Kong. Foltz '
'admitted to operating the botnet and wiping logs weekly to '
"obscure evidence. The botnet's code was derived from 'fBot' "
'(a variant of the Mirai botnet). Foltz faces charges of '
'aiding and abetting computer intrusions, with a maximum '
'penalty of 10 years in prison.',
'impact': {'brand_reputation_impact': ['Negative publicity for Twitter/X',
'Reputational damage to affected '
'businesses (e.g., gambling sites)'],
'downtime': ['Intermittent outages for Twitter/X',
'Variable downtime for 18,000 victims'],
'financial_loss': 'Estimated $500–$10,000 per 2+ Tbps attack '
'(30-second duration); cumulative losses across '
'370,000+ attacks unknown',
'legal_liabilities': ['Potential extortion-related legal actions '
'against victims',
'Regulatory scrutiny for affected entities'],
'operational_impact': ['Disruption of online services (e.g., '
'gambling platforms)',
'Potential extortion payments by victims'],
'systems_affected': ['Twitter/X (March 10, 2025 outage)',
'18,000 unique victims across 1,000 networks',
'DoD Internet Addresses (targeted)']},
'initial_access_broker': {'entry_point': ['Exploited IoT Devices',
'Unknown Zero-Day (mentioned in '
'chats)'],
'high_value_targets': ['Chinese Gambling Operations',
'DoD IP Addresses',
'Twitter/X']},
'investigation_status': 'Ongoing (Foltz arrested; Slaykings at large; botnet '
'disrupted)',
'lessons_learned': ['Avoiding high-profile targets (e.g., KrebsOnSecurity) '
'can prolong botnet longevity.',
'Regular log-wiping can hinder investigations but is not '
'foolproof.',
"Botnet operators prioritize 'Goldilocks' size to balance "
'power and stealth.',
'DDoS-for-hire services enable low-effort, high-impact '
'cybercrime.',
'IoT device security remains a critical vulnerability for '
'large-scale attacks.'],
'motivation': ['Financial Gain (DDoS-for-Hire)',
'Avoiding Law Enforcement Detection',
'Extortion of Online Businesses (e.g., Chinese Gambling '
'Operations)'],
'post_incident_analysis': {'corrective_actions': ['Law enforcement takedown '
'of Rapper Bot '
'infrastructure.',
'Public awareness campaigns '
'on IoT security.',
'Encouragement of DDoS '
'protection services (e.g., '
'Project Shield).',
'Pursuit of co-conspirators '
'(e.g., Slaykings, Aaron '
'Sterritt).'],
'root_causes': ['Poor IoT device security (default '
'credentials, unpatched '
'vulnerabilities).',
'Lack of DDoS mitigation '
'preparedness among victims.',
'Profit-driven cybercriminal '
'ecosystem (DDoS-for-hire).',
'Inadequate international '
'cooperation to dismantle '
'botnets.']},
'recommendations': ['Strengthen IoT device security (e.g., default credential '
'changes, patch management).',
'Monitor for unusual traffic patterns (e.g., 2+ Tbps '
'spikes).',
'Implement DDoS mitigation strategies (e.g., '
'overprovisioning, scrubbing services).',
'Collaborate with law enforcement to disrupt botnet '
'infrastructure.',
'Avoid paying extortion demands to discourage '
'DDoS-for-hire markets.'],
'references': [{'date_accessed': '2025-08-06',
'source': 'KrebsOnSecurity',
'url': 'https://krebsonsecurity.com'},
{'date_accessed': '2025-08-06',
'source': 'U.S. Department of Justice (DoJ) Criminal '
'Complaint'},
{'date_accessed': '2025-08-06',
'source': 'Defense Criminal Investigative Service (DCIS)',
'url': 'https://www.dcis.dod.mil'}],
'regulatory_compliance': {'legal_actions': ['Criminal Charges Against Ethan '
'J. Foltz (1 count of '
'aiding/abetting computer '
'intrusions)',
'Potential Extradition of Aaron '
'Sterritt (fBot operator)'],
'regulations_violated': ['Computer Fraud and Abuse '
'Act (CFAA)',
'Potential Extortion Laws'],
'regulatory_notifications': ['DoD DCIS Involvement',
'FBI Cyber Division']},
'response': {'communication_strategy': ['DoJ Press Release',
'KrebsOnSecurity Reporting',
'Public Disclosure of Arrest'],
'containment_measures': ['Arrest of Ethan J. Foltz',
'Seizure of Botnet Infrastructure',
'Disruption of Rapper Bot Operations'],
'incident_response_plan_activated': ['DoD DCIS Investigation',
'FBI/Federal Law '
'Enforcement Raid',
'Telegram Chat Logs Seized'],
'law_enforcement_notified': True,
'third_party_assistance': ['PayPal (subpoenaed for payment '
'records)',
'Google (subpoenaed for Gmail/IP '
'data)',
'Arizona ISP (hosted control '
'server)']},
'stakeholder_advisories': ['DoD entities targeted by Rapper Bot',
'Online businesses (especially gambling platforms) '
'warned about extortion risks'],
'threat_actor': [{'location': 'Springfield, Oregon, U.S.',
'name': 'Ethan J. Foltz',
'role': 'Primary Operator of Rapper Bot'},
{'alias': 'Slaykings',
'name': 'Unknown (Slaykings)',
'role': 'Co-conspirator, Profit-Sharing Partner'}],
'title': 'Rapper Bot Botnet DDoS Attacks and Arrest of Operator Ethan J. '
'Foltz',
'type': ['Distributed Denial-of-Service (DDoS) Attack',
'Botnet Operation',
'Cyber Extortion'],
'vulnerability_exploited': ['Unpatched IoT Devices',
'Unknown Zero-Day Exploit (mentioned in Telegram '
'chats)']}