Full Report
A joint U.S.-Dutch law enforcement operation has taken down a botnet-for-hire that was comprised of thousands of end-of-life routers. The U.S. Department of Justice (DOJ) announcement came two days after an FBI alert warning about the Anyproxy.net and 5socks.net botnets and urging users to replace vulnerable internet routers or disable remote administration. In addition to a domain seizure warrant for Anyproxy.net and 5socks.net, the DOJ also announced the unsealing of an indictment charging four foreign nationals with conspiracy and other alleged computer crimes for operating the botnets. More Than 7,0000 End-Of-Life Routers in Botnet The Indictment alleges that the botnet was created by infecting older-model wireless internet routers worldwide. The malware allowed the routers to grant unauthorized access to third parties and made them available for sale as proxy servers on the Anyproxy and 5socks websites. Both website domains were managed by a company headquartered in Virginia and hosted on computer servers worldwide, the DOJ alleges. Court documents revealed that the 5socks.net website advertised more than 7,000 proxies for sale worldwide. Users paid a monthly subscription fee ranging from $9.95 to $110 per month. The DOJ said the website's slogan – “Working since 2004!” – suggests that the service had been available for more than 20 years. Russian nationals Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin, and Dmitriy Rubtsov, a Kazakhstani national, were charged with Conspiracy and Damage to Protected Computers for conspiring with others to maintain, operate, and profit from the botnet services. Chertkov and Rubtsov were also charged with False Registration of a Domain Name for allegedly falsely identifying themselves when they registered and used the domains Anyproxy.net and 5socks.net. The DOJ said the defendants “are believed to have amassed more than $46 million from selling access to the infected routers that were part of the Anyproxy botnet.” Also credited in the operation were the Eastern District of Virginia, the Dutch National Police – Amsterdam Region, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police. Lumen Technologies’ Black Lotus Labs also assisted in the investigation. 13 Vulnerable Routers Identified The May 7 FBI alert listed 13 vulnerable routers. Those devices include: E1200 E2500 E1000 E4200 E1500 E300 E3200 WRT320N E1550 WRT610N E100 M10 WRT310N The FBI recommended that users “identify if any of the devices vulnerable to compromise are part of their networking infrastructure. If so, these devices should be replaced with newer models that remain in their vendor support plans to prevent further infection. Alternatively, a user can prevent infection by disabling remote administration and rebooting the device.”
Analysis Summary
# Incident Report: Takedown of Anyproxy Botnet Utilizing End-of-Life Routers
## Executive Summary
Law enforcement agencies, assisted by private sector partners like Lumen Technologies' Black Lotus Labs, successfully dismantled the Anyproxy botnet, which leveraged approximately 7,000 compromised, end-of-life (EoL) routers. The operation led to criminal charges against four individuals for conspiring to operate and profit from the service, which generated over \$46 million by selling access to infected devices. The primary impact stemmed from the monetization of compromised infrastructure through a proxy service, highlighting the persistent threat posed by unsupported networking equipment.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the FBI issued an alert on May 7, 2025, concerning the related malware (TheMoon) and vulnerable devices, indicating awareness activities around this date.
- **Incident Date:** The operation culminated around May 9, 2025, with the announcement of the takedown and charges. The botnet itself had been operating since at least 2004.
- **Affected Organization:** Not a single organization; the victims were owners of the compromised EoL routers and entities purchasing proxy services from the criminal infrastructure.
- **Sector:** Cybercrime Infrastructure / Threat Actors utilizing compromised IoT/Networking devices.
- **Geography:** The operation involved international coordination (US DOJ, Dutch National Police, Royal Thai Police); the suspects charged are Russian and Kazakhstani nationals.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing, spanning from at least 2004 until May 2025.
- **Vector:** Likely utilized known, unpatched vulnerabilities in **End-of-Life (EoL) routers**. The related alert mentioned TheMoon malware, which targets aging routers.
- **Details:** Attackers installed malware (implied to be related to TheMoon or the specific botnet code enabling proxy services) on consumer and small-office routers that were no longer receiving security updates.
### Lateral Movement
- *Not explicitly detailed for this incident type.* The focus was on leveraging the compromised routers as distributed proxies rather than moving laterally within victim internal networks.
### Data Exfiltration/Impact
- **What was stolen or damaged:** The primary impact was the **compromise of network control** and the **monetization of access**. The infrastructure was sold as a proxy service, "Anyproxy," generating over \$46 million for the operators.
### Detection & Response
- **How it was discovered:** Through joint investigation by US Department of Justice (DOJ), Dutch National Police, and Royal Thai Police, with assistance from Lumen Technologies’ Black Lotus Labs.
- **Response actions taken:** Law enforcement coordinated a global operation to take down the infrastructure. Four individuals were charged with Conspiracy and Damage to Protected Computers. The FBI issued an alert detailing vulnerable devices.
## Attack Methodology
- **Initial Access:** Exploitation of vulnerabilities in EoL networking firmware (e.g., Linksys models listed) potentially via remote administration interfaces or known public-facing exploits.
- **Persistence:** Malware installed on the routers allowed the threat actors to maintain control indefinitely as long as the device remained powered and unpatched.
- **Privilege Escalation:** Assumed to leverage existing device firmware weaknesses to gain root access required for malware installation.
- **Defense Evasion:** Use of EoL devices inherently bypasses security monitoring focused on actively supported networks. The decentralized nature of the botnet also provided evasion.
- **Credential Access:** Not the primary target; the value was the compromised device itself, not typically user credentials *on* the device.
- **Discovery:** Likely automated scanning for vulnerable devices exposing specific services.
- **Lateral Movement:** N/A (Botnet utilization).
- **Collection:** N/A (Proxy service model).
- **Exfiltration:** N/A (Monetization was via service resale, not mass data theft, though the proxies *could* have been used for subsequent exfiltration).
- **Impact:** Financial crime through the sale of access (\$46M+ earned) and creation of a large-scale proxy network.
## Impact Assessment
- **Financial:** Operators amassed **over \$46 million** from selling proxy access.
- **Data Breach:** No specific data breach volume disclosed, but the compromise involved device control across 7,000 units.
- **Operational:** The botnet provided attackers with a large, geographically diverse pool of IP addresses for various malicious activities.
- **Reputational:** Minor direct reputational damage to the router manufacturers listed, but significant damage from the prolonged criminal activity.
## Indicators of Compromise
*Note: IPs and URLs are defanged as per instructions.*
- **Network indicators:** Domains potentially used: `Anyproxy[.]net`, `5socks[.]net` (used for registration).
- **File indicators:** Associated with **TheMoon malware** (mentioned in associated FBI alert).
- **Behavioral indicators:** Devices functioning as part of a large-scale **proxy service network**, with high outbound activity potentially masking attack origins.
## Response Actions
- **Containment measures:** Law enforcement action to seize control of the command and control infrastructure and disrupt the services provided by the botnet.
- **Eradication steps:** Prosecution of the four named individuals charged by the DOJ.
- **Recovery actions:** The FBI issued recommendations for users of 13 specific vulnerable router models to **replace them** or **disable remote administration and reboot**.
## Lessons Learned
- **EoL Equipment Danger:** End-of-life networking equipment represents a significant, long-term attack surface that, even when owned by private consumers, can be weaponized into massive criminal infrastructure.
- **Criminal Longevity:** The service had allegedly been running since 2004, demonstrating the potential operational lifespan of successfully monetized botnets.
- **International Coordination Value:** The success hinged on collaboration between law enforcement agencies across multiple jurisdictions (US, Netherlands, Thailand).
## Recommendations
- **Mandatory Replacement/Patching:** Organizations and consumers must prioritize replacing any networking hardware that is no longer supported by vendor security updates.
- **Security Configuration:** Users should review router settings to **disable remote administration** features, especially when exposed to the internet.
- **Proactive Alerts:** Continue proactive issuance of alerts (like the FBI CSA) detailing specific vulnerable hardware models to enable rapid user mitigation.