Law enforcement authorities recently dismantled a botnet that had been infecting routers for over 20 years. This botnet created two illegal networks known as Anyproxy and 5socks, which sold residential proxies. The U.S. Justice Department indicted three Russian nationals and a Kazakhstani for their roles in operating these services. They were charged with conspiracy and damaging protected computers as part of the botnet operation.
The botnet targeted older wireless routers, including models from Linksys and Cisco, and used malware to gain unauthorized access
. This access allowed the controllers to sell the compromised routers as proxy servers, which were advertised on Anyproxy.net and 5socks.net. The services were marketed as residential proxies, which are more difficult to detect as malicious. The botnet’s users paid between $9.95 and $110 per month for access to these proxies.
The operation, called “Moonlander,” was a joint effort between U.S. authorities, the Dutch National Police, the Netherlands Public Prosecution Service, and other global agencies. The botnet had been active since at least 2004 and had sold over 7,000 proxies during its lifetime. It allowed cybercriminals to evade detection while conducting illicit activities such as ad fraud, brute-force attacks, and cryptocurrency theft.
The FBI issued a public advisory warning about the botnet’s impact on end-of-life routers.
These devices, often with remote administration turned on, were vulnerable to the TheMoon malware. This malware enabled the installation of proxies that allowed cybercriminals to operate anonymously, further enabling cybercrimes. The FBI cautioned that residential proxies are harder for security systems to detect, making them highly sought after by hackers.
Reference: