Listen to this Post

An international cybercrime crackdown has dealt a significant blow to one of the longest-running proxy-based botnets on the internet. Dubbed “Operation Moonlander,” this coordinated effort dismantled the Anyproxy and 5socks networks—both of which thrived for two decades by exploiting outdated and unsecured internet routers. U.S. and international law enforcement agencies worked together to take down the infrastructure and indict four individuals who allegedly operated the illegal networks.
These services were more than just proxy sellers—they were enablers of global cybercrime, powering everything from fraud to full-scale cyberattacks. The scale of their operation, the stealth of their methods, and the longevity of their infrastructure make this one of the most notable takedowns in recent years.
The Full Story: Inside the Collapse of Anyproxy and 5Socks
Authorities from the U.S., Netherlands, and Thailand, in collaboration with cybersecurity firm Lumen Technologies’ Black Lotus Labs, took part in “Operation Moonlander” to bring down a botnet operation that had been active since at least 2004.
Four individuals—three Russian nationals and one Kazakhstani—have been charged with conspiring to operate and profit from illegal proxy services Anyproxy and 5socks. U.S. federal indictments accuse them of creating a botnet by infecting outdated Wi-Fi routers with malware, enabling unauthorized access and turning them into unwitting proxy servers.
The malware reconfigured routers to communicate with command-and-control (C2) servers hosted in Turkey. These infected devices, typically older SOHO (Small Office/Home Office) routers, were marketed to customers on websites Anyproxy.net and 5socks.net. These proxies could be rented without any authentication, offering anonymity to clients who may have engaged in activities such as ad fraud, DDoS attacks, brute-force login attempts, and the harvesting of personal data.
Each proxy IP sold for \$9.95 to \$110 per month, with more than 7,000 IPs in circulation globally. The total earnings are estimated at \$46 million. Chertkov and Rubtsov were also charged with using false identities to register the domains for the proxy services.
The FBI discovered traces of the malware on residential and commercial routers in Oklahoma, confirming that the infected devices communicated with C2 servers every 60 seconds to five minutes—keeping the access persistent and readily available to paying customers.
Research by Black Lotus Labs uncovered weekly activity from approximately 1,000 unique bots communicating with five Turkish-based C2 servers. These bots primarily originated in the United States, followed by Canada and Ecuador. Devices were typically end-of-life routers with outdated firmware and no ongoing support, making them easy prey for malware deployment.
A FLASH alert from the FBI warned the public and organizations about the ongoing risk posed by such botnets, particularly emphasizing the importance of retiring EOL (end-of-life) routers, disabling remote administrative functions, and performing regular device reboots. Notably, the alert also indicated that Chinese state-backed hackers have exploited similar vulnerabilities in outdated devices to gain footholds in U.S. critical infrastructure.
The botnet was remarkably evasive—only about 10% of infected devices were flagged by conventional tools like VirusTotal. The proxy service was structured to evade deny-lists and security scans, allowing it to thrive undetected in many networks.
What Undercode Say:
The takedown of Anyproxy and 5socks illustrates a critical point in the evolution of botnets: persistence through stealth and exploitation of forgotten hardware. These proxy services weren’t just side gigs for cybercriminals—they were commercialized platforms monetizing compromised infrastructure at scale.
This operation is a lesson in how much of the modern internet infrastructure, especially in residential and small-office environments, relies on legacy hardware. The problem is systemic: users keep routers for years without firmware updates, and ISPs rarely enforce security upgrades. This creates a vast and silent attack surface.
The monetary incentive is strong. At its peak, the Anyproxy network had thousands of compromised routers quietly working in the background, generating millions in profit through monthly subscription models. What made it particularly dangerous was its user-friendly design: no authentication, accessible through a simple web panel, and widely marketed in cybercrime forums. It commoditized botnet access like a legitimate SaaS product.
Moreover, the use of cryptocurrency payments and false domain registrations shows how cybercriminals mix old-school fraud with modern financial tools to ensure operational longevity. Despite being a legacy network, it adapted well to newer evasion techniques, such as avoiding detection by keeping below the radar of most antivirus tools.
Another key concern is geopolitical. The involvement of Russian and Kazakhstani nationals and the exploitation of routers from countries like the U.S., Ecuador, and Canada shows the truly global nature of this operation. Meanwhile, Chinese hackers using similar methods signal that the vulnerability of EOL devices is not just a cybercrime problem—it’s also a national security issue.
Finally, the lack of authentication in proxy services makes them appealing to a wide range of malicious actors, from petty scammers to nation-state adversaries. These platforms lower the barrier to entry for cybercrime, turning compromised household devices into valuable commodities on the darknet.
This botnet takedown is only the beginning. There are other active operations that mimic or surpass the sophistication of Anyproxy. Unless there is a cultural and infrastructural shift in how we secure IoT and SOHO devices, similar threats will continue to emerge.
Fact Checker Results:
✔️ Confirmed by the U.S. Department of Justice press release (Operation Moonlander).
✔️ Technical findings verified by Lumen Technologies’ Black Lotus Labs.
✔️ FBI FLASH alert confirms threat to end-of-life routers and national infrastructure.
Prediction:
We expect an increase in the number of criminal groups leveraging end-of-life devices due to their low visibility and high availability. As older routers continue to be deployed in homes and small businesses, botnet operators will evolve their techniques but stick to this successful model. Proxy-based malware networks will increasingly blend with more advanced persistent threats (APTs), and detection will become harder without aggressive IoT device patching policies or hardware recalls. Expect further FBI operations targeting similar infrastructures and the emergence of new, “faceless” proxy services on the darknet.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.reddit.com/r/AskReddit
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2




