A sprawling proxy botnet built on over 7,000 hacked IoT and outdated routers has finally been brought down. U.S. and Dutch authorities joined forces to dismantle the network, which had quietly helped cybercriminals stay anonymous online for years.
Authorities say the network hijacked thousands of devices, including end-of-life (EoL) routers, turning them into proxy servers. Hackers sold access to these infected machines through two services: anyproxy.net and 5socks.net. Combined, they generated over $46 million by offering monthly proxy access priced between $10 and $110.
The U.S. Justice Department has now charged four Russian nationals — Alexey Chertkov, Kirill Morozov, Aleksandr Shishkin — and a Kazakhstani national, Dmitriy Rubtsov. These individuals allegedly ran the entire operation, from maintaining the malware to collecting subscription payments.
The FBI discovered several infected routers in homes and offices across Oklahoma. Victims had no idea that their routers had been compromised and turned into nodes within a cybercrime network.
The core malware, known as TheMoon, helped link all infected devices. Once it took hold of a router, it connected to a command server and received new tasks. One of those tasks was scanning the internet for more vulnerable routers. That’s how the botnet grew — silently and aggressively.
Lumen Technologies’ Black Lotus Labs monitored the activity. They found that roughly 1,000 devices connected weekly to command-and-control (C2) servers in Turkey. Over half of these infected systems were located in the United States. Canada and Ecuador followed closely in number.
TheMoon malware is especially dangerous because it doesn’t need a password. It simply scans for exposed ports and exploits old scripts. Once in, it installs proxy software that allows anonymous internet traffic to flow through the infected router. No user approval, no alerts, just quiet control.
To make matters worse, the platforms didn’t require authentication. Buyers only needed an IP address and port number. That meant almost anyone could use the botnet’s proxy service to conduct online crimes — from ad fraud and DDoS attacks to credential stuffing and data theft.
Security researchers noted that one server in Turkey silently collected victim data using UDP traffic. It received information without responding, which made it harder to detect. Four other servers used HTTP (port 80) to control the infected machines.
This joint takedown, known as Operation Moonlander, didn’t stop at legal action. Investigators also seized domains and cut off traffic to known C2 addresses, preventing further infection.
Lumen noted that both 5socks.net and anyproxy.net were essentially the same service — just different brand names for the same backend system.
The FBI has since issued a warning. They say attackers often exploit routers that have reached EoL. These devices no longer receive security patches, making them easy to compromise. Even today, many users rely on outdated hardware, unaware that they’re offering a free pass to cybercriminals.
To stay safe, experts recommend a few simple steps:
- Reboot your router regularly
- Install firmware updates
- Change default login credentials
- Upgrade any router that’s reached end-of-life
The scale of this takedown sends a clear message. As the number of IoT devices grows, so does the attack surface. Criminals will continue targeting underprotected networks, especially in homes and small businesses.
Proxy botnets aren’t just a privacy issue — they’re a full-blown cybersecurity threat. They allow hackers to hide behind your IP address while they launch attacks that are nearly impossible to trace.
The fight isn’t over. But with coordinated operations like this, authorities are striking back.
