A joint law enforcement operation conducted by the U.S. Department of Justice (DoJ) and Dutch authorities has successfully taken down a criminal proxy botnet responsible for providing cover to cybercriminals through a sprawling network of compromised Internet of Things (IoT) and end-of-life (EoL) devices. Codenamed Operation Moonlander, the takedown led to the seizure of domains associated with 5socks.net and anyproxy.net, which were used to sell access to hijacked residential and business routers for anonymity services—without the device owners’ knowledge.

The U.S. has charged four individuals for operating and profiting from the illegal proxy services:

• Alexey Viktorovich Chertkov, 37 (Russian)
• Kirill Vladimirovich Morozov, 41 (Russian)
• Aleksandr Aleksandrovich Shishkin, 36 (Russian)
• Dmitriy Rubtsov, 38 (Kazakhstani)

According to the DoJ, the accused ran the service for nearly two decades, since at least 2004, offering monthly subscription plans between $9.95 to $110, ultimately raking in over $46 million (approx. ₹384.1 crore) in illicit profits.

Investigations led by Lumen Technologies’ Black Lotus Labs uncovered that the platforms were driven by malware known as TheMoon, originally detected in 2014 in attacks on Linksys routers. This malware exploited vulnerabilities in unpatched or unsupported (EoL) devices to quietly enroll them into a proxy botnet.

• 1,000 unique bots connecting weekly to the command-and-control (C2) infrastructure
• Over 50% of infected devices located in the United States, followed by Canada and Ecuador
• Use of known vulnerabilities and open ports, requiring no password, to infect routers

Once compromised, these devices were repurposed to offer anonymous internet access to paying customers, masking the origins of activities such as ad fraud, brute-force attacks, data theft, and DDoS operations.

The seized domains—5socks.net and anyproxy.net—marketed themselves as legitimate proxy services, boasting over 7,000 active proxies daily, covering IPs from various countries. They required no additional user authentication, making them highly attractive for abuse.

Lumen further confirmed the use of:

• A Turkey-based C2 network of five servers—four using port 80, and one using UDP on port 1443 for data collection.
• Shared infrastructure across services, though distinct from the Faceless proxy platform, which is also linked to TheMoon.

The FBI also found infected routers in the U.S. state of Oklahoma, actively compromised and communicating with the C2 servers.

The FBI, in a public advisory, warned that cybercriminals are targeting outdated or poorly secured devices to build such anonymous proxy networks. They urged users to:

• Reboot routers regularly
• Apply firmware/security updates
• Change default passwords
• Replace EoL devices with supported hardware

Lumen added that residential IP abuse complicates attribution, and proxy services will remain a serious threat as long as vulnerable devices remain in circulation. “Proxy services have and will continue to present a direct threat to internet security as they allow malicious actors to hide behind unsuspecting residential IPs,” Lumen said.

While platforms like 5socks promoted privacy and anonymity, Operation Moonlander has highlighted how malware-based anonymity networks can be weaponised. Authorities emphasised that the crackdown is not an attack on privacy, but a move to halt systematic abuse of compromised devices.

As the number of IoT devices surges globally, and many remain unpatched or unsupported, law enforcement officials caution that botnets of this nature may continue to grow unless proactive security measures are adopted.