FBI and Dutch Police Dismantle Massive Botnet of Compromised Routers: A Major Cybersecurity Victory

A recent international law enforcement operation has successfully dismantled two significant services linked to a botnet of compromised internet-connected devices, primarily routers. This extensive crackdown, involving U.S. prosecutors and international partners, has resulted in the indictment of four individuals accused of orchestrating these cybercrimes.

Operation Moonlander: A Pivotal Law Enforcement Action

On Wednesday, the websites of Anyproxy and 5Socks displayed notices indicating their seizure by the FBI, part of a broader operation dubbed “Operation Moonlander.” This operation was a collaborative effort involving the FBI, the Dutch National Police, the U.S. Attorney’s Office for the Northern District of Oklahoma, and the U.S. Department of Justice.

Indictments and Allegations

On Friday, U.S. prosecutors announced the dismantling of the botnet and the indictment of four individuals:

• Alexey Viktorovich Chertkov
• Kirill Vladimirovich Morozov
• Aleksandr Aleksandrovich Shishkin
• Dmitriy Rubtsov

These individuals are accused of exploiting vulnerable, older-model routers to create a botnet under the guise of providing legitimate proxy services. The indictment revealed that they targeted devices with known security flaws, compromising “thousands” of routers.

The Role of Botnets in Cybercrime

The botnet allowed these conspirators to sell access through Anyproxy and 5Socks, which have been operational since 2004. While residential proxy networks can serve legitimate purposes, such as accessing geo-restricted content, the services in question allegedly operated by infecting numerous vulnerable internet-connected devices. This led to the creation of a botnet utilized by cybercriminals.

According to the Department of Justice, the indictment states:

“In this way, the botnet subscribers’ internet traffic appeared to come from the IP addresses assigned to the compromised devices rather than the IP addresses assigned to the devices that the subscribers were actually using to conduct their online activity.”

The Financial Impact of the Operation

The DOJ’s press release highlighted that the four accused individuals are believed to have generated over $46 million from their illicit activities.

Expert Insights on the Operation

Ryan English, a researcher at Black Lotus Labs, shared insights with TechCrunch regarding the various abuses linked to these services, including:

• Password spraying
• Distributed Denial-of-Service (DDoS) attacks
• Ad fraud

Black Lotus Labs collaborated with law enforcement to track the proxy networks, noting that the botnet was designed to provide anonymity for malicious actors online. English expressed confidence that Anyproxy and 5Socks were operated by the same group but under different names, indicating a persistent threat in the cybersecurity landscape.

Global Reach of the Botnet

According to the report, Lumen’s global network visibility showed that the botnet maintained an average of around 1,000 active proxies in over 80 countries. Additionally, Spur, a company specializing in tracking proxy services, noted that while 5Socks was relatively small, it gained traction within the realm of financial fraud.

For more information on cybersecurity and recent developments in the field, visit our cybersecurity updates page.