Blog

Police dismantles botnet selling hacked routers as residential proxies

7 hours ago
3 minutes read

Law enforcement authorities have dismantled a botnet that infected thousands of routers over the last 20 years to build two networks of residential proxies known as Anyproxy and 5socks.

The U.S. Justice Department also indicted three Russian nationals (Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin) and a Kazakhstani (Dmitriy Rubtsov) for their involvement in operating, maintaining, and profiting from these two illegal services.

During this joint action dubbed ‘Operation Moonlander,’ U.S. authorities worked with prosecutors and investigators from the Dutch National Police, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police, as well as analysts with Lumen Technologies’ Black Lotus Labs.

Court documents show that the now-dismantled botnet infected older wireless internet routers worldwide with malware since at least 2004, allowing unauthorized access to compromised devices to be sold as proxy servers on Anyproxy.net and 5socks.net. The two domains were managed by a Virginia-based company and hosted on servers globally.

“The botnet controllers require cryptocurrency for payment. Users are allowed to connect directly with proxies using no authentication, which, as documented in previous cases, can lead to a broad spectrum of malicious actors gaining free access,” Black Lotus Labs said.

“Given the source range, only around 10% are detected as malicious in popular tools such as VirusTotal, meaning they consistently avoid network monitoring tools with a high degree of success. Proxies such as this are designed to help conceal a range of illicit pursuits including ad fraud, DDoS attacks, brute forcing, or exploiting victim’s data.”

Map of infected routers
Map of compromised routers (Black Lotus Labs)

Their users paid a monthly subscription ranging from $9.95 to $110 per month, depending on the requested services. “The website’s slogan, ‘Working since 2004!,’ indicates that the service has been available for more than 20 years,” the Justice Department said today.

The four defendants advertised the two services (promoting over 7,000 proxies) as residential proxy services on various websites, including ones used by cybercriminals, and they allegedly collected over $46 million from selling subscriptions providing access to the infected routers part of the Anyproxy botnet.

They operated the Anyproxy.net and 5socks.net websites using servers registered and hosted at JCS Fedora Communications, a Russian internet hosting provider. They also used servers in the Netherlands, Türkiye, and other locations to manage the Anyproxy botnet and the two websites.

They were all charged with conspiracy and damage to protected computers, while Chertkov and Rubtsov were also accused of falsely registering a domain name.

5Socks.net seizure banner
5Socks.net seizure banner (BleepingComputer)

Targeting end-of-life (EoL) routers

On Wednesday, the FBI also issued a flash advisory and a public service announcement warning that this botnet was targeting patch end-of-life (EoL) routers with a variant of the TheMoon malware.

The FBI warned that the attackers are installing proxies later used to evade detection during cybercrime-for-hire activities, cryptocurrency theft attacks, and other illegal operations.

The list of devices commonly targeted by the botnet includes Linksys and Cisco router models, including:

  • Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550

  • Linksys WRT320N, WRT310N, WRT610N

  • Cisco M10 and Cradlepoint E100

“Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously,” the FBI said.

“Such residential proxy services are particularly useful to criminal hackers to provide anonymity when committing cybercrimes; residential-as opposed to commercial—IP addresses are generally assumed by internet security services as much more likely to be legitimate traffic,” today’s indictment added. “In this way, conspirators obtained a private financial gain from the sale of access to the compromised routers.”


Red Report 2025

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.


Source link

Tags
7 hours ago
3 minutes read

Related Articles

Gorilla vs Humans Codes (May 2025)

1 hour ago

20 genuinely useful AI apps for Android – Computerworld

2 hours ago

5 best shows like ‘The Eternaut’ to stream on Netflix, Max and more

2 hours ago

Chinese hackers behind attacks targeting SAP NetWeaver servers

2 hours ago

Adidas’ 3D-printed sneaker review: What are those!?

3 hours ago

Why You Shouldn’t Worry About Your ‘Gut Health’

5 hours ago

Volvo Recalls Cars and SUVs to Fix Backup Cameras

6 hours ago

Bose Ultra Open Bluetooth Earbuds Are 30% off Right Now

6 hours ago

NYT Strands Today: Hints, Answers & Spangram for May 10, 2025

7 hours ago

The NCSC wants developers to get serious on software security

7 hours ago
Back to top button
close