Full Report
The long-running botnet operation used malware that infected older wireless internet routers over a 20-year period, according to federal prosecutors. The post US seizes Anyproxy, 5socks botnets and indicts alleged administrators appeared first on CyberScoop.
Analysis Summary
# Incident Report: Dismantling of Anyproxy and 5socks Botnets
## Executive Summary
Federal authorities dismantled the long-running Anyproxy and 5socks botnet operation, which primarily infected older wireless internet routers over a 20-year period, leading to the indictment of four foreign nationals alleged to be administrators. While this was a law enforcement action rather than a direct breach response, the operation resulted in the seizure of the service domains and the disabling of the overseas C2 infrastructure, halting the sale of unauthorized proxy access accumulated from compromised consumer devices.
## Incident Details
- **Discovery Date:** Ongoing investigations leading up to the May 2025 action. Researchers (Lumen Black Lotus Labs) discovered thousands of infected devices over the past year.
- **Incident Date:** Operation spanned over 20 years, with the coordinated seizure and indictments occurring around May 2025.
- **Affected Organization:** Global victims, including many users in the United States whose home/business routers were compromised. (Specific organizational victims are not detailed as this involved mass consumer/enterprise router infection).
- **Sector:** Technology/Cybercrime Infrastructure.
- **Geography:** Operations managed globally, indictment filed in the U.S. District Court for the Northern District of Oklahoma; domain seizure warrant in the U.S. District Court for the Eastern District of Virginia. C2 infrastructure tracked in Turkey.
## Timeline of Events
### Initial Access (Infection Phase)
- **Date/Time:** Began over a 20-year period, with ongoing infection activity.
- **Vector:** Malware infection targeting older wireless internet routers (IoT and end-of-life devices).
- **Details:** Malware was installed on these routers without user knowledge, allowing them to be reconfigured.
### Lateral Movement
(Not directly applicable in the context of the botnet *operation*, but the compromised devices served as proxies for further third-party attacks.)
### Data Exfiltration/Impact (Service Operation)
- **What was stolen or damaged:** Unauthorized access was granted to third parties by reconfiguring victim routers. Adminstrators profited by selling this access as proxy servers on Anyproxy.net and 5socks.net.
- **Financial Impact noted:** Defendants allegedly amassed over $46 million from selling access to the Anyproxy botnet alone.
### Detection & Response (Law Enforcement Action)
- **How it was discovered:** Joint efforts between the DOJ, FBI (including the Oklahoma City Cyber Task Force), and Lumen Technologies’ Black Lotus Labs tracked the command-and-control infrastructure (located in Turkey).
- **Response actions taken:** Federal authorities seized the domains Anyproxy.net and 5socks.net ("Operation Moonlander"). Overseas operations were seized and disabled in the Netherlands and Thailand. Four alleged administrators were indicted for conspiracy and damage to protected computers.
## Attack Methodology
- **Initial Access:** Malware infection of vulnerable, older wireless internet routers.
- **Persistence:** Malware remained on the infected routers, allowing reconfiguration.
- **Privilege Escalation:** (Not explicitly detailed, but the malware achieved sufficient access to hijack the device's network functionality.)
- **Defense Evasion:** The persistence method (infection of routers) appears to have evaded standard endpoint detection for many years. C2 activity was tracked to servers in Turkey.
- **Credential Access:** Not the primary focus; the attack focused on exploiting device functionality.
- **Discovery:** Attackers reconfigured devices to act as proxies.
- **Lateral Movement:** N/A (Primary impact was enabling third parties to use the compromised routers as proxies).
- **Collection:** N/A (The malware’s purpose was reconfiguration for sale, not data theft from the source device).
- **Exfiltration:** N/A (The service sold *outgoing* access from the compromised device).
- **Impact:** Providing illicit proxy services to third parties, financial gain for operators, and compromise of end-user device security.
## Impact Assessment
- **Financial:** Defendants allegedly amassed over $46 million from the Anyproxy service.
- **Data Breach:** Specific data breach details are not the focus; the impact was the compromise and weaponization of network infrastructure (routers).
- **Operational:** Disruption of a major long-running proxy service used for cybercrime.
- **Reputational:** While many users' routers were compromised, the primary public notoriety is associated with the international law enforcement action.
## Indicators of Compromise
*(Note: IoCs are highly dynamic and related to active C2 infrastructure seized during the operation. Defanging applied as required.)*
- **Network indicators:** C2 infrastructure previously reported in Turkey (specific IPs/domains are assumed to be taken down or publicly known prior to seizure).
- **File indicators:** Specific malware hashes are not provided in the summary.
- **Behavioral indicators:** Compromised routers communicating with known Anyproxy/5socks C2 infrastructure; routers observed redirecting traffic through proxy sales channels.
## Response Actions
- **Containment measures:** Seizure of associated domains (anyproxy.net, 5socks.net) globally. Disabling of overseas C2 operations (Netherlands, Thailand).
- **Eradication steps:** Coordination between multiple international law enforcement agencies to dismantle the infrastructure.
- **Recovery actions:** Victims (router owners) would need to identify and clean malware from their specific devices, though this remediation step is implied rather than explicitly stated in the enforcement summary.
## Lessons Learned
- **Key takeaways:** Long-standing botnet operations targeting legacy/end-of-life IoT devices (like older routers) remain a significant, enduring threat vector. Criminal enterprises can sustain complex global operations over decades ($110/month subscriptions over 20 years).
- **What could have been done better:** Proactive security across the lifecycle of consumer networking hardware, especially end-of-life routers, is critical to prevent initial infection.
## Recommendations
- **Prevention measures for similar incidents:** Implement mandatory security updates and patch management for all network edge devices (routers, modems). Consumers should replace end-of-life networking equipment promptly. Continued international law enforcement collaboration to target C2 infrastructure, as demonstrated in Turkey, the Netherlands, and Thailand.