International Law Enforcement Dismantles Major Botnet Exploiting Hacked Routers

In a significant international law enforcement operation known as "Operation Moonlander," authorities successfully dismantled two notorious proxy services, Anyproxy and 5Socks, that were operating a vast botnet of hacked internet-connected devices, primarily wireless routers. These services, active since 2004, were accused of providing cybercriminals with access to a network of compromised devices, enabling anonymous and malicious online activities.

The FBI, Dutch National Police, U.S. Attorney’s Office for the Northern District of Oklahoma, and the U.S. Department of Justice collaborated on this operation. Following the seizure, the websites of Anyproxy and 5Socks were replaced with official notices confirming their shutdown. Subsequently, U.S. prosecutors indicted four individuals—three Russians and one Kazakhstan national—accused of orchestrating the hacking of thousands of vulnerable routers and profiting over $46 million by selling access to the botnet.

The indicted individuals exploited known vulnerabilities in older router models to compromise devices worldwide. By controlling these routers, they created a residential proxy network that masked the true origin of internet traffic, making it appear as if it originated from legitimate residential IP addresses. This deception facilitated a range of cybercrimes, including password spraying attacks, distributed denial-of-service (DDoS) attacks, and ad fraud.

While residential proxy services can be legitimate tools for bypassing geo-restrictions or censorship, the Anyproxy and 5Socks networks were built on compromised devices, effectively operating as a criminal botnet. The operators marketed these services on social media and cybercriminal forums, emphasizing their utility in providing anonymity for illicit activities. The botnet maintained an average of about 1,000 weekly active proxies across more than 80 countries, highlighting its extensive reach.

Cybersecurity researchers from Black Lotus Labs and Spur played key roles in tracking and analyzing the botnet, providing crucial intelligence that supported law enforcement actions. Their findings underscored the botnet's use in various forms of cyber abuse and its growing popularity for financial fraud. This case exemplifies the challenges posed by botnets leveraging residential devices and the importance of international cooperation in combating cybercrime.

Broader Implications for Cybersecurity

This operation highlights the persistent threat posed by botnets that exploit vulnerable IoT devices and routers. As these devices often lack robust security updates, they remain prime targets for cybercriminals. The use of residential IP addresses to mask malicious traffic complicates detection and mitigation efforts, necessitating advanced cybersecurity strategies and international collaboration.

Organizations and individuals must prioritize securing their network devices, applying timely firmware updates, and monitoring network traffic for unusual activity. Law enforcement agencies and cybersecurity firms must continue to work together to identify and dismantle such criminal infrastructures, protecting the integrity of the internet and reducing opportunities for cybercrime.