Law Enforcement Disrupts Botnet Operation Utilizing Compromised Routers for Residential Proxy Services

Law enforcement authorities have successfully disrupted a botnet that has compromised thousands of routers over the past 20 years, leading to the establishment of two networks of residential proxies, known as Anyproxy and 5socks.

The U.S. Justice Department has indicted three Russian nationals—Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin—as well as a Kazakhstani national, Dmitriy Rubtsov, for their roles in operating, maintaining, and profiting from these illicit services.

This operation, dubbed ‘Operation Moonlander,’ involved a collaborative effort between U.S. authorities, representatives from the Dutch National Police, the Netherlands Public Prosecution Service, and the Royal Thai Police, along with analysts from Lumen Technologies’ Black Lotus Labs.

Court documents reveal that the botnet had been infecting older wireless internet routers with malware since at least 2004, granting unauthorized access to compromised devices, which were then sold as proxy servers on Anyproxy.net and 5socks.net. Both domains were associated with a Virginia-based company and were hosted on servers located around the world.

The botnet operators demanded cryptocurrency for services rendered. Users were allowed to connect directly to the proxies without authentication, potentially granting malicious actors free access to these resources. According to Black Lotus Labs, approximately 90% of these proxies evade detection by popular security tools, which poses significant risks as they are frequently utilized to mask a variety of illicit activities, including ad fraud, DDoS attacks, and brute-force attempts.

Users of these services subscribed on a monthly basis, paying between $9.95 and $110 depending on the desired services. The Justice Department noted that the slogan, “Working since 2004!,” reflects the longevity of these operations.

The defendants promoted the two services, offering over 7,000 proxies, on various cybercriminal platforms, reportedly generating over $46 million from the sale of subscriptions that provided access to the infected routers within the Anyproxy botnet.

They managed the Anyproxy.net and 5socks.net websites using servers registered and hosted by JCS Fedora Communications, a Russian internet service provider, as well as servers located in the Netherlands, Türkiye, and other regions.

All four individuals face charges of conspiracy and damaging protected computers, with Chertkov and Rubtsov additionally accused of improperly registering a domain name.

On a related note, the FBI issued a flash advisory highlighting that this botnet predominantly targeted end-of-life (EoL) routers with a variant of TheMoon malware. This malware enables attackers to install proxies, facilitating anonymity during cybercriminal activities, including cryptocurrency theft.

The routers most commonly targeted by this botnet include various models from Linksys and Cisco, such as Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, WRT320N, WRT310N, WRT610N, as well as Cisco M10 and Cradlepoint E100.

The FBI noted that routers at the end of their service life, especially those with remote administration enabled, have been compromised through the newly identified variant of TheMoon malware. The investigative body emphasized that residential proxy services are highly attractive to cybercriminals as they provide an aura of legitimacy in comparison to commercial IP addresses.

These developments underscore the necessity for enhanced security measures to protect vulnerable devices and maintain the integrity of network infrastructures in order to mitigate the prevalence of such criminal activities.