In a significant cybersecurity breakthrough, international law enforcement agencies have successfully dismantled one of the longest-running and most sophisticated botnet operations that had been compromising routers worldwide for nearly 20 years. The operation, codenamed “Moonlander,” targeted a criminal network that transformed infected devices into illegal residential proxy servers, marketed through services known as Anyproxy and 5socks.
International Collaboration Leads to Criminal Charges
The U.S. Department of Justice has filed charges against four individuals in connection with the operation: three Russian nationals (Alexey Chertkov, Kirill Morozov, and Alexander Shishkin) and one Kazakhstani citizen (Dmitry Rubtsov). The investigation involved extensive cooperation between law enforcement agencies from the Netherlands and Thailand, supported by technical expertise from Lumen Technologies’ Black Lotus Labs.
Technical Infrastructure and Malware Deployment
Operating since 2004, the criminal enterprise employed a modified version of TheMoon malware to exploit vulnerabilities in legacy wireless routers. The compromised devices were converted into proxy servers, with access sold through dedicated websites Anyproxy[.]net and 5socks[.]net. Subscription packages ranged from $9.95 to $110 monthly, attracting customers seeking anonymous internet access.
Impact and Financial Scale
The investigation revealed the botnet operators advertised more than 7,000 residential proxy servers across various platforms, including cybercriminal forums. The illegal operation generated over $46 million in revenue, primarily through cryptocurrency transactions, with minimal authentication requirements for accessing the proxy services.
Router Vulnerabilities and Detection Challenges
The botnet primarily targeted Linksys and Cisco routers, exploiting known vulnerabilities in older firmware versions. Most concerning was the malware’s sophisticated evasion capabilities – only 10% of its malicious activities were detected by leading antivirus solutions, including VirusTotal, highlighting the advanced nature of the threat.
This successful operation marks a crucial victory in the ongoing battle against cybercrime, while emphasizing the critical importance of router security. Network administrators and home users are strongly advised to implement regular firmware updates, enable robust security controls, and monitor their devices for suspicious activities. The case serves as a stark reminder that outdated network equipment remains a prime target for cybercriminals, potentially turning innocent users’ devices into tools for illegal operations.
