- 783
- 211
Law enforcement has dismantled a sophisticated botnet that used compromised routers to create residential proxy networks that were then sold through the websites Anyproxy.net and 5socks.net for subscriptions ranging from $9.95 to $110 per month. The services had been in operation since 2004.
According to the indictment, the botnet operators - three Russian citizens (Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin) and one Kazakh citizen (Dmitry Rubtsov) - made more than $46 million by selling access to more than 7,000 proxies.
The Anyproxy and 5Socks networks were based on a botnet that infected thousands of older router models around the world by exploiting known vulnerabilities in EoL devices that do not receive security updates from their manufacturers. Such proxies were especially valuable for masking malicious traffic, since residential IP addresses are often perceived as legitimate by security systems.
The malware, believed to be a variant of TheMoon, communicated with command and control (C2) servers via a two-way handshake. The C2 infrastructure ensured regular checks of infected routers, opening ports for proxy operation, and managing traffic routing.
Anyproxy and 5Socks were hosted on servers managed by the Russian hosting company JCS Fedora Communications. The Anyproxy.net and 5socks.net domains were registered using fake data, making attribution difficult. The services were advertised on cybercriminal forums and social media, promoting the capabilities of residential proxies. Clients could purchase access to specific IP addresses and ports, but these had weak authentication, making them vulnerable to abuse by other actors.
Operation Moonlander was completed on May 9, 2025, under the direction of the U.S. Department of Justice, with assistance from the FBI’s Oklahoma City Cyber Unit, the Dutch National Police, the Dutch Public Prosecutor’s Office, and the Royal Thai Police. Lumen Technologies’ Black Lotus Labs provided critical technical analysis, tracking C2 nodes and botnet architecture.
The FBI obtained warrants to seize Anyproxy.net and 5socks.net, replacing their contents with a DOJ notice. All four defendants were charged with conspiracy and causing damage to protected computers. The indictment details their roles in finding vulnerable routers, planting malware, and managing proxy sales. The feds drew on lessons learned from previous takedowns, such as the 911 S5 botnet in 2024.
According to the indictment, the botnet operators - three Russian citizens (Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin) and one Kazakh citizen (Dmitry Rubtsov) - made more than $46 million by selling access to more than 7,000 proxies.
The Anyproxy and 5Socks networks were based on a botnet that infected thousands of older router models around the world by exploiting known vulnerabilities in EoL devices that do not receive security updates from their manufacturers. Such proxies were especially valuable for masking malicious traffic, since residential IP addresses are often perceived as legitimate by security systems.
The malware, believed to be a variant of TheMoon, communicated with command and control (C2) servers via a two-way handshake. The C2 infrastructure ensured regular checks of infected routers, opening ports for proxy operation, and managing traffic routing.
Anyproxy and 5Socks were hosted on servers managed by the Russian hosting company JCS Fedora Communications. The Anyproxy.net and 5socks.net domains were registered using fake data, making attribution difficult. The services were advertised on cybercriminal forums and social media, promoting the capabilities of residential proxies. Clients could purchase access to specific IP addresses and ports, but these had weak authentication, making them vulnerable to abuse by other actors.
Operation Moonlander was completed on May 9, 2025, under the direction of the U.S. Department of Justice, with assistance from the FBI’s Oklahoma City Cyber Unit, the Dutch National Police, the Dutch Public Prosecutor’s Office, and the Royal Thai Police. Lumen Technologies’ Black Lotus Labs provided critical technical analysis, tracking C2 nodes and botnet architecture.
The FBI obtained warrants to seize Anyproxy.net and 5socks.net, replacing their contents with a DOJ notice. All four defendants were charged with conspiracy and causing damage to protected computers. The indictment details their roles in finding vulnerable routers, planting malware, and managing proxy sales. The feds drew on lessons learned from previous takedowns, such as the 911 S5 botnet in 2024.