Springfield man charged in cyberattacks-for-hire scheme

Federal prosecutors on Tuesday, Aug. 19, charged a 22-year-old Springfield man with overseeing a network of computers infested with specialized malware, and then launching powerful cyberattacks on companies and governmental networks.

Ethan J. Foltz has been charged with aiding and abetting computer intrusions by allegedly administering “Rapper Bot,” prosecutors said in a news release Tuesday.

A U.S. Attorney’s Office spokesperson on Wednesday confirmed that Foltz is from Springfield, despite the news release stating he is from Eugene.

If convicted, Foltz faces up to 10 years in prison. Foltz has not been arrested or detained, but has been ordered to appear for future court proceedings, said Reagan Zimmerman-Hartzheim, a spokesperson for the U.S. Attorney’s Office in Alaska, where Foltz has been charged.

An Aug. 6 search warrant of Foltz’s home allowed authorities to seize control of Rapper Bot, which is a “botnet.” The term is used by computer experts to describe a collection of online devices that have been infested with malware and that can then be used for malicious purposes — with the owners of the devices typically unaware.

The botnet known as Rapper Bot deployed what are known as distributed denial-of-service, or DDoS, attacks, in which large volumes of online traffic flood victim computers and servers.

Foltz and unnamed co-conspirators “allegedly monetized Rapper Bot by providing select paying customers with access to one of the most sophisticated and powerful DDoS-for-hire botnets currently in existence,” the U.S. Attorney’s Office in Alaska said in a statement Tuesday.

The statement said “at least five infected victim devices are in Alaska and were forced to participate in attacks.”

An affidavit filed in the case describes Rapper Bot — also known as Eleven Eleven Botnet and CowBot — as taking control of roughly 65,000 to 95,000 devices such as digital video recorders or Wi-Fi routers.

Prosecutors say that after the Aug. 6 search warrant of Foltz’s home allowed authorities to seize control of the botnet, no Rapper Bot attacks have been reported.

Authorities say Rapper Bot, “targeted victims in over 80 countries, including a U.S. government network, a popular social media platform and many U.S. tech companies.”

The DDoS attacks have resulted in costs associated with “lost revenue, disgruntled customers, [and] resources used to respond to attacks and bandwidth usage costs,” according to prosecutors.

The prosecutors in their statement alleged Rapper Bot has been involved in large-scale cyberattacks “since at least 2021.”

An affidavit filed in court by Elliott Peterson, a special agent with the Defense Criminal Investigative Service, a part of the Department of Defense, described how investigators linked Rapper Bot to Foltz:

An unnamed U.S. technology company “derived the specific communication protocol being used by Rapper Bot,” allowing investigators to track the “command-and-control” components in the Botnet attacks, including where servers were hosted.

Records obtained “pursuant to further legal process” showed a “Seth Rogan” paid for the server – a “plainly fictitious” identifier, the affidavit states – and additional investigation linked PayPal records to “several accounts in the name of Ethan Foltz.”

The affidavit says that Foltz, in a recorded interview, “stated that he was the primary administrator of Rapper Bot,” with a “primary partner” known to him only as “SlayKings.”