Do Son 
Law enforcement authorities have dismantled a botnet that, for over two decades, had infected thousands of routers across the globe. Cybercriminals leveraged this botnet to build two proxy networks—Anyproxy and 5socks—operating surreptitiously through compromised home devices.
The U.S. Department of Justice has filed charges against four individuals: Russian nationals Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Alexander Alexandrovich Shishkin, along with Kazakhstani citizen Dmitry Rubtsov. According to investigators, the defendants were involved in the creation, maintenance, and monetization of these illicit services.
The operation, codenamed Moonlander, was a collaborative effort involving U.S. authorities, prosecutors and investigators from the Dutch National Police, the Dutch Public Prosecution Service (Openbaar Ministerie), the Royal Thai Police, and analysts from Black Lotus Labs at Lumen Technologies.
Case files reveal that since 2004, the botnet had been infecting outdated wireless routers with malicious software. Unauthorized access to these compromised devices was then sold as residential proxy services through the websites Anyproxy.net and 5socks.net. Both domains were operated by a company registered in the state of Virginia, while the associated servers were distributed globally.
The operators accepted payment exclusively in cryptocurrency. Clients were granted direct proxy access without authentication—an arrangement that, according to Black Lotus Labs, provided a fertile ground for malicious activity. Their analysis found that popular detection tools like VirusTotal flagged only about 10% of the IP addresses from the network as malicious. This allowed the proxy infrastructure to consistently evade most network monitoring systems with remarkable effectiveness. The services were widely used to obscure nefarious operations, including ad fraud, DDoS attacks, credential stuffing, and data theft.
Subscription fees ranged from $9.95 to $110 per month, depending on the level of access. The service’s slogan—“Operating since 2004!”—underscored its long-standing presence in the cybercriminal underground.
The accused promoted their offerings across various platforms, including dark web marketplaces, advertising access to more than 7,000 residential IP-based proxies. Prosecutors allege the group earned over $46 million from subscription sales tied to the infected routers within the Anyproxy network.
The sites Anyproxy.net and 5socks.net were hosted on servers provided by Russian hosting provider JCS Fedora Communications. The broader botnet infrastructure also utilized servers in the Netherlands, Turkey, and other countries to manage both the botnet and the websites.
All defendants face charges of conspiracy and damaging protected computers. Chertkov and Rubtsov are additionally accused of falsifying domain name registration details.
On Wednesday, the FBI issued an urgent public warning, revealing that the botnet targets end-of-life (EoL) routers using a modified variant of the infamous malware TheMoon. Once installed, the proxies enable attackers to conceal their identities while executing targeted cyberattacks, stealing cryptocurrency, and engaging in other illicit activities.
Among the most frequently exploited devices are various models of Linksys and Cisco routers. Specifically named vulnerable devices include: Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, Linksys WRT320N, WRT310N, WRT610N, as well as Cisco M10 and Cradlepoint E100.
“Recently, we identified that legacy routers with remote administration enabled are being infected with a new variant of TheMoon malware,” the FBI explained. “This allows attackers to install proxy services on unsuspecting users’ devices, enabling anonymous and unlawful operations.”
As noted in the indictment, residential proxy endpoints are particularly prized by cybercriminals because internet security systems are significantly more likely to treat traffic from home IPs as legitimate, in contrast to traffic originating from commercial or datacenter addresses.
Donate