FBI and Dutch Police Take Down Router Botnet

International Law Enforcement Disrupts Major Botnet Operation

A collaborative effort between international law enforcement agencies has resulted in the shutdown of two services implicated in the operation of a botnet. This network comprised internet-connected devices, notably routers, that had been compromised and exploited by cybercriminals.

Seizure of Anyproxy and 5Socks

The websites for Anyproxy and 5Socks were taken offline on Wednesday, displaying seizure notices from the FBI. This action was part of “Operation Moonlander,” a coordinated law enforcement initiative.

The operation involved the FBI, Dutch National Police (Politie), the U.S. Attorney’s Office for the Northern District of Oklahoma, and the U.S. Department of Justice.

Indictments Announced

On Friday, U.S. prosecutors revealed the dismantling of the botnet and announced indictments against four individuals. These include Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin, all Russian nationals, and Dmitriy Rubtsov, a citizen of Kazakhstan.

The four are accused of illicitly profiting from the operation of Anyproxy and 5Socks. Prosecutors allege that these services were presented as legitimate proxy providers, but were, in reality, constructed upon a foundation of hacked routers.

Targeting Vulnerable Devices

The indictment details how Chertkov, Morozov, Rubtsov, and Shishkin targeted older wireless router models. These devices contained known security vulnerabilities, allowing the individuals to compromise “thousands” of them.

Access to this botnet was then sold through Anyproxy and 5Socks, services that had been operational since 2004, according to available records.

Residential Proxies and Illicit Activity

While residential proxy networks are not inherently illegal, they can be misused. They are often utilized to access geographically restricted content or circumvent censorship measures.

However, Anyproxy and 5Socks are accused of building their proxy network – including residential IP addresses – by infecting vulnerable devices. This effectively transformed them into a botnet utilized by malicious actors, as stated by the Department of Justice.

The indictment explains that traffic from botnet subscribers appeared to originate from the compromised devices’ IP addresses, masking the subscribers’ actual locations and identities.

Furthermore, the individuals allegedly promoted the Anyproxy botnet as a residential proxy service on social media and cybercriminal forums, capitalizing on the perception that residential IP addresses are more trustworthy than commercial ones.

Significant Financial Gains

The Department of Justice estimates that the four individuals generated over $46 million through the sale of access to the botnet.

Law Enforcement Response

The FBI declined to provide further comment when contacted by TechCrunch. Requests for comment from the DOJ and Dutch National Police went unanswered.

Research and Support

Ryan English, a researcher at Black Lotus Labs, indicated prior to the domain seizures that the two services were linked to various forms of abuse, including password spraying, distributed denial-of-service (DDoS) attacks, and ad fraud.

Black Lotus Labs, a research team within Lumen, assisted authorities in tracking the proxy networks. Their report highlighted that the botnet was “designed to offer anonymity for malicious actors online.”

English confirmed that Anyproxy and 5Socks likely represent the same proxy pool operated by the same individuals, primarily utilizing end-of-life routers.

Botnet Scale and Impact

Lumen’s global network visibility revealed that the botnet maintained an average of approximately 1,000 weekly active proxies across more than 80 countries.

Spur, a company specializing in tracking proxy services, also contributed to the operation. Co-founder Riley Kilmer noted that while 5Socks is a relatively smaller criminal network, it had been gaining traction in the realm of financial fraud.

This report has been updated to reflect the FBI’s statement.