Law enforcement agencies, including the U.S. Justice Department, have dismantled a botnet that infected thousands of routers globally over the past two decades to create residential proxies known as Anyproxy and 5,000. The operation, dubbed ‘Operation Moonlander,’ was a joint effort involving the U.S. Justice Department, Dutch National Police, the Netherlands Public Prosecution Service, the Royal Thai Police, and analysts from Lumen Technologies’ Black Lotus Labs. The botnet, which has been operating since at least 2004, infected older wireless internet routers with malware, allowing unauthorized access to these devices and their use as proxy servers on Anyproxy.net and 5socks.net. These domains were managed by a Virginia-based company and hosted on servers worldwide.
The FBI also issued a warning that the botnet was targeting end-of-life routers with a variant of the TheMoon malware, which allowed attackers to install proxies used for cybercrime-for-hire activities, cryptocurrency theft, and other illegal operations. The botnet’s controllers required cryptocurrency for payment, and users could connect directly with proxies without authentication, enabling a wide range of malicious actors to access these services freely. The list of devices commonly targeted by the botnet includes Linksys and Cisco router models, such as the Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, WRT320N, WRT310N, WRT610N, and Cisco M10 and Cradlepoint E100. Court documents show that the now-dismantled botnet infected older wireless internet routers worldwide with malware since at least 2004, allowing unauthorized access to compromised devices to be sold as proxy servers on Anyproxy.net and 5socks.net. The U.S. Justice Department also indicted three Russian nationals (Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin) and a Kazakhstani (Dmitriy Rubtsov) for their involvement in operating, maintaining, and profiting from these two illegal services.
During this joint action dubbed ‘Operation Moonlander,’ U.S. authorities worked with prosecutors and investigators from the Dutch National Police, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police, as well as analysts with Lumen Technologies’ Black Lotus Labs. Court documents show that the now-dismantled botnet infected older wireless internet routers worldwide with malware since at least 2004, allowing unauthorized access to compromised devices to be sold as proxy servers on Anyproxy.net and 5socks.net. The two domains were managed by a Virginia-based company and hosted on servers globally. The FBI’s warning highlighted that the attackers used a variant of the TheMoon malware to target end-of-life routers, enabling them to install proxies for use in cybercrime-for-hire activities, cryptocurrency theft, and other illegal operations. The botnet controllers required cryptocurrency for payment, and users could connect directly with proxies without authentication, which, as documented in previous cases, can lead to a broad spectrum of malicious actors gaining free access.
Black Lotus Labs noted that the source range of these proxies is such that only around 10% are detected as malicious in popular tools such as VirusTotal, meaning they consistently avoid network monitoring tools with a high degree of success. Proxies such as this are designed to help conceal a range of illicit pursuits including ad fraud, DDoS attacks, brute forcing, or exploiting victim’s data. The U.S. Justice Department’s indictment of the four individuals, including three Russians and a Kazakhstani, marks a significant step in combating cybercrime and protecting users from the exploitation of their devices for illegal purposes. The operation highlights the growing sophistication of cyber threats and the need for international collaboration in addressing global cybercrime challenges.