Police Dismantles Botnet Selling Hacked Routers As Residential Proxies (bleepingcomputer.com)
(Saturday May 10, 2025 @11:34AM (BeauHD)
from the PSA dept.)
- Reference: 0177412477
- News link: https://it.slashdot.org/story/25/05/09/2223226/police-dismantles-botnet-selling-hacked-routers-as-residential-proxies
- Source link: https://www.bleepingcomputer.com/news/security/police-dismantles-botnet-selling-hacked-routers-as-residential-proxies/
An anonymous reader quotes a report from BleepingComputer:
> Law enforcement authorities have dismantled a botnet that [1]infected thousands of routers over the last 20 years to build two networks of residential proxies known as Anyproxy and 5socks. The U.S. Justice Department also [2]indicted three Russian nationals (Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin) and a Kazakhstani (Dmitriy Rubtsov) for their involvement in operating, maintaining, and profiting from these two illegal services.
>
> During this joint action dubbed 'Operation Moonlander,' U.S. authorities worked with prosecutors and investigators from the Dutch National Police, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police, as well as analysts with Lumen Technologies' Black Lotus Labs. [3]Court documents show that the now-dismantled botnet infected older wireless internet routers worldwide with malware since at least 2004, allowing unauthorized access to compromised devices to be sold as proxy servers on Anyproxy.net and 5socks.net. The two domains were managed by a Virginia-based company and hosted on servers globally.
>
> On Wednesday, the FBI also issued a [4]flash advisory (PDF) and a public service announcement warning that this botnet was targeting patch end-of-life (EoL) routers with a variant of the TheMoon malware. The FBI warned that the attackers are installing proxies later used to evade detection during cybercrime-for-hire activities, cryptocurrency theft attacks, and other illegal operations. The list of devices commonly targeted by the botnet includes Linksys and Cisco router models, including:
>
> - Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550
> - Linksys WRT320N, WRT310N, WRT610N
> - Cisco M10 and Cradlepoint E100
"The botnet controllers require cryptocurrency for payment. Users are allowed to connect directly with proxies using no authentication, which, as documented in previous cases, can lead to a broad spectrum of malicious actors gaining free access," Black Lotus Labs [5]said . "Given the source range, only around 10% are detected as malicious in popular tools such as VirusTotal, meaning they consistently avoid network monitoring tools with a high degree of success. Proxies such as this are designed to help conceal a range of illicit pursuits including ad fraud, DDoS attacks, brute forcing, or exploiting victim's data."
[1] https://www.bleepingcomputer.com/news/security/police-dismantles-botnet-selling-hacked-routers-as-residential-proxies/
[2] https://www.justice.gov/usao-ndok/pr/botnet-dismantled-international-operation-russian-and-kazakhstani-administrators
[3] http://legacy.www.documentcloud.org/documents/25935130-anyproxy-and-5socks-indictment/
[4] https://www.ic3.gov/CSA/2025/250507.pdf
[5] http://blog.lumen.com/black-lotus-labs-helps-demolish-major-criminal-proxy-network/
> Law enforcement authorities have dismantled a botnet that [1]infected thousands of routers over the last 20 years to build two networks of residential proxies known as Anyproxy and 5socks. The U.S. Justice Department also [2]indicted three Russian nationals (Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin) and a Kazakhstani (Dmitriy Rubtsov) for their involvement in operating, maintaining, and profiting from these two illegal services.
>
> During this joint action dubbed 'Operation Moonlander,' U.S. authorities worked with prosecutors and investigators from the Dutch National Police, the Netherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police, as well as analysts with Lumen Technologies' Black Lotus Labs. [3]Court documents show that the now-dismantled botnet infected older wireless internet routers worldwide with malware since at least 2004, allowing unauthorized access to compromised devices to be sold as proxy servers on Anyproxy.net and 5socks.net. The two domains were managed by a Virginia-based company and hosted on servers globally.
>
> On Wednesday, the FBI also issued a [4]flash advisory (PDF) and a public service announcement warning that this botnet was targeting patch end-of-life (EoL) routers with a variant of the TheMoon malware. The FBI warned that the attackers are installing proxies later used to evade detection during cybercrime-for-hire activities, cryptocurrency theft attacks, and other illegal operations. The list of devices commonly targeted by the botnet includes Linksys and Cisco router models, including:
>
> - Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550
> - Linksys WRT320N, WRT310N, WRT610N
> - Cisco M10 and Cradlepoint E100
"The botnet controllers require cryptocurrency for payment. Users are allowed to connect directly with proxies using no authentication, which, as documented in previous cases, can lead to a broad spectrum of malicious actors gaining free access," Black Lotus Labs [5]said . "Given the source range, only around 10% are detected as malicious in popular tools such as VirusTotal, meaning they consistently avoid network monitoring tools with a high degree of success. Proxies such as this are designed to help conceal a range of illicit pursuits including ad fraud, DDoS attacks, brute forcing, or exploiting victim's data."
[1] https://www.bleepingcomputer.com/news/security/police-dismantles-botnet-selling-hacked-routers-as-residential-proxies/
[2] https://www.justice.gov/usao-ndok/pr/botnet-dismantled-international-operation-russian-and-kazakhstani-administrators
[3] http://legacy.www.documentcloud.org/documents/25935130-anyproxy-and-5socks-indictment/
[4] https://www.ic3.gov/CSA/2025/250507.pdf
[5] http://blog.lumen.com/black-lotus-labs-helps-demolish-major-criminal-proxy-network/
I kind of wonder... (Score:2)
by zendarva ( 8340223 )
Given how apathetic the average service industry worker is in america, how practically every big store has wifi, and big stores have lots of outlets, I am constantly shocked that bad actors aren't plugging cheap little pi 0w2's in official looking wall warts into big box stores everywhere, setting them up with C&C servers, and using that as cheap, damn hard to trace, bastion boxes.
Re: I kind of wonder... (Score:2)
by ZERO1ZERO ( 948669 )
How do you know they arenĂ¢(TM)t?
Operation Moonlander (Score:2)
by cstacy ( 534252 )
"Invincible!"
Until BOTRAkER came along.
Why does this take 20 years? (Score:2)
by gweihir ( 88907 )
At that rate they could also simply wait until the bot-net operators die of old age...
Obviously, this stuff is still not taken seriously at all.
Yet again the standard flaw of Internet Of Things (Score:5, Insightful)
People aren't going to stop using something just because the company marked it EOL and stopped patching. They're only going to upgrade when they want a performance boost, or when the old device breaks.
This is especially true the more people wind up living paycheck-to-paycheck, and for the people who weren't highly conversant in the technology to begin with. Note how having remote admin turned on with a "listed in the manual" default username/password is a terrible security practice, but it's still incredibly common today . Many users probably plug the damn router in and don't even bother going through a setup, and they even leave the wi-fi ident string default and the password set to the mac address listed on the sticker on the underside...