The Dutch Police and the FBI dismantle a botnet of hacked routers.

A joint action by international law enforcement led to the shutdown of two services accused of providing a botnet composed of Internet-connected devices, including routers, for use by cybercriminals. Additionally, the U.S. Attorney's Office filed charges against four individuals alleged to have hacked these devices and operated the botnet. On Wednesday, the websites of Anyproxy and 5Socks were replaced with notices indicating that they had been confiscated by the FBI as part of an operation known as "Operation Moonlander." The notification specified that the action was carried out by several agencies, including the FBI, the Dutch National Police, the U.S. Attorney's Office for the Northern District of Oklahoma, and the U.S. Department of Justice.

On Friday, U.S. prosecutors announced the dismantling of the botnet and charged three Russian nationals: Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin, along with Dmitriy Rubtsov, a national of Kazakhstan. They are accused of profiting by operating Anyproxy and 5Socks, presenting themselves as legitimate proxy service providers, even though prosecutors argue that these networks were based on hacked routers. According to the indictment, the four individuals, who reside outside the United States, targeted older models of wireless routers with known vulnerabilities, compromising "thousands" of these devices.

By taking control of the vulnerable routers, the accused then sold access to the botnet through Anyproxy and 5Socks, services that had been active since 2004. Residential proxy networks are not illegal in themselves; they are often used to provide IP addresses to clients wanting to access geoblocked content or evade government censorship. However, Anyproxy and 5Socks allegedly built their proxy network by infecting thousands of Internet-connected devices, turning them into a botnet for use by cybercriminals.

"Subscribing to the botnet made the Internet traffic of subscribers appear to come from the IP addresses assigned to the compromised devices, rather than the IPs of the devices they were actually using for their online activities," the indictment details. The conspirators, through 5Socks, publicly marketed the Anyproxy botnet as a residential proxy service on social media and online discussion forums, including cybercrime forums. These types of residential proxy services are particularly useful for criminal hackers, as they provide anonymity when committing cybercrimes.

It is estimated that the four accused generated over $46 million from selling access to the botnet. An FBI spokesperson did not provide comments when contacted. According to a researcher from Black Lotus Labs, the services were used for various types of abuses, including brute force attacks, distributed denial-of-service (DDoS) attacks, and ad fraud. Black Lotus Labs, a team within the cybersecurity firm Lumen, assisted authorities in tracking the proxy networks involved.

The investigation reveals that the botnet was "designed to offer anonymity to malicious actors online" and that Anyproxy and 5Socks are "the same group of proxies operated by the same operators, just under a different name." According to the analysis, the botnet had an average of around 1,000 active proxies weekly in over 80 countries.

Spur, a company that tracks proxy services on the Internet, also participated in the operation, and its co-founder remarked that while 5Socks is one of the smaller criminal networks, it had "grown in popularity due to financial fraud."