{"id":89038,"date":"2025-05-10T03:23:10","date_gmt":"2025-05-10T03:23:10","guid":{"rendered":"https:\/\/www.europesays.com\/uk\/89038\/"},"modified":"2025-05-10T03:23:10","modified_gmt":"2025-05-10T03:23:10","slug":"fbi-and-dutch-police-seize-and-shut-down-botnet-of-hacked-routers","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/uk\/89038\/","title":{"rendered":"FBI and Dutch police seize and shut down botnet of hacked routers"},"content":{"rendered":"

A joint international law enforcement action shut down two services accused of providing a botnet<\/a> of hacked internet-connected devices, including routers, to cybercriminals. U.S. prosecutors also indicted four people accused of hacking into the devices and running the botnet.\u00a0<\/p>\n

On Wednesday, the websites of Anyproxy and 5Socks were replaced with notices stating they had been seized by the FBI as part of a law enforcement operation called \u201cOperation Moonlander.\u201d The notice said the law enforcement action was carried out by the FBI, the Dutch National Police (Politie), the U.S. Attorney\u2019s Office for the Northern District of Oklahoma, and the U.S. Department of Justice.\u00a0<\/p>\n

Then on Friday, U.S. prosecutors announced<\/a> the dismantling of the botnet and the indictment of three Russians: Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin; and Dmitriy Rubtsov, a Kazakhstan national. The four are accused of profiting from running Anyproxy and 5Socks under the pretense of offering legitimate proxy services, but which prosecutors say were built on hacked routers.<\/p>\n

Chertkov, Morozov, Rubtsoyv, and Shishkin, who all reside outside of the United States, targeted older models of wireless internet routers that had known vulnerabilities, compromising \u201cthousands\u201d of such devices, according to the now-unsealed indictment<\/a>.\u00a0<\/p>\n

When in control of those routers, the four individuals then sold access to the botnet on Anyproxy and 5Socks, services that have been active since 2004, according to their<\/a> websites<\/a> and the charging authorities.\u00a0<\/p>\n

Residential proxy networks are not illegal on their own; these offerings are often used to provide customers with IP addresses for accessing geoblocked content or bypassing government censorship<\/a>. Anyproxy and 5Socks, however, allegedly built their network of proxies \u2014 some of them made of residential IP addresses \u2014 by infecting thousands of vulnerable internet-connected devices and effectively turning them into a botnet used by cybercriminals, according to the Department of Justice.<\/p>\n

\u201cIn this way, the botnet subscribers\u2019 internet traffic appeared to come from the IP addresses assigned to the compromised devices rather than the IP addresses assigned to the devices that the subscribers were actually using to conduct their online activity,\u201d read the indictment.\u00a0<\/p>\n

Techcrunch event<\/p>\n

\n\t\t\t\t\t\t\t\t\tBerkeley, CA
\n\t\t\t\t\t\t\t\t\t\t\t\t\t|
\n\t\t\t\t\t\t\t\t\t\t\t\t\tJune 5\n\t\t\t\t\t\t\t<\/p>\n

\t\t\t\t\t\t\t
\n\t\t\t\t\tBOOK NOW
\n\t\t\t\t<\/a><\/p>\n

\u201cConspirators acting through 5Socks publicly marketed the Anyproxy botnet as a residential proxy service on social media and online discussion forums, including cybercriminal forums,\u201d the indictment added. \u201cSuch residential proxy services are particularly useful to criminal hackers to provide anonymity when committing cybercrimes; residential\u2010as opposed to commercial\u2010IP addresses are generally assumed by internet security services as much more likely to be legitimate traffic.\u201d<\/p>\n

According to the DOJ\u2019s press release, the four are believed to have made more than $46 million from selling access to the botnet.<\/p>\n

An FBI spokesperson had no comment when reached by TechCrunch. The DOJ and the Dutch National Police did not respond to requests for comment.\u00a0<\/p>\n

Ryan English, a researcher at Black Lotus Labs, told TechCrunch ahead of the domain seizures that the two services were used for several types of abuse, including password spraying, launching distributed denial-of-service (DDoS<\/a>) attacks, and ad fraud.\u00a0<\/p>\n

On Friday, Black Lotus Labs, a team of researchers housed within cybersecurity firm Lumen, published a report<\/a> saying they helped the authorities track the proxy networks. As Black Lotus explained in its report, the botnet was \u201cdesigned to offer anonymity for malicious actors online.\u201d<\/p>\n

English told TechCrunch that he and his colleagues are confident that Anyproxy and 5Socks are \u201cthe same pool of proxies run by the same operators, just under a different name,\u201d and that \u201cthe bulk of the botnet were routers, all kinds of end-of-life make and models.\u201d<\/p>\n

According to the report and based on Lumen\u2019s global network visibility, the botnet had \u201can average of about 1,000 weekly active proxies in over 80 countries.\u201d<\/p>\n

Spur, a company that tracks proxy services on the internet, also worked on the operation. Spur\u2019s co-founder Riley Kilmer told TechCrunch that while 5Socks is one of the smaller criminal networks the company tracks, the network had \u201cgained in popularity for financial fraud.\u201d<\/p>\n

This story has been updated to include the FBI\u2019s no comment.<\/p>\n","protected":false},"excerpt":{"rendered":"A joint international law enforcement action shut down two services accused of providing a botnet of hacked internet-connected…\n","protected":false},"author":2,"featured_media":89039,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[42340,51,13509,3457,14925,8724,11579,15986,13510,16,15],"class_list":{"0":"post-89038","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"tag-botnet","9":"tag-business","10":"tag-cybercrime","11":"tag-cybersecurity","12":"tag-department-of-justice","13":"tag-fbi","14":"tag-hackers","15":"tag-hacking","16":"tag-malware","17":"tag-uk","18":"tag-united-kingdom"},"share_on_mastodon":{"url":"https:\/\/pubeurope.com\/@uk\/114481398192268989","error":""},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts\/89038","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/comments?post=89038"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/posts\/89038\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/media\/89039"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/media?parent=89038"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/categories?post=89038"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/uk\/wp-json\/wp\/v2\/tags?post=89038"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}