A botnet that had been operating for nearly two decades was finally dismantled as part of an international effort known as “Operation Moonlander.” This network was behind the AnyProxy and 5Socks services, which offered residential proxies to cybercriminals to help them conceal their online footprints. Four men—three Russians and one Kazakh citizen—were charged with running this illegal operation.
The U.S. Department of Justice filed charges against Alexey Chertkov (37), Kirill Morozov (41), Aleksandr Shishkin (36), and Dmitriy Rubtsov (38), accusing them of conspiracy and damaging protected computers while profiting from the operation of AnyProxy and 5Socks.
This takedown was not a solo effort: U.S. authorities collaborated with law enforcement from the Netherlands, Thailand, and cybersecurity experts from Black Lotus Labs, part of Lumen Technologies.
According to the official statement from the Department of Justice, the accused infected outdated Wi-Fi routers (yes, the ones you might still have at home) with malware, without users ever realizing it. That malware reconfigured the devices to act as proxies accessible to third parties who paid for subscriptions on the Anyproxy.net and 5socks.net websites. The operation was run from a company registered in Virginia, with servers spread across the globe.
Court documents reveal that 5socks.net alone sold over 7,000 proxies worldwide, charging between $10 and $110 per month. The outcome? More than $46 million generated by exploiting infected routers, all thanks to the massive botnet built through AnyProxy.
Read more: Noodlphile: New Malware Hidden in Fake AI Video Generators
For nearly two decades, the group behind the AnyProxy and 5Socks websites operated in the shadows, using fake identities to register domains and stay off the radar. Now, Chertkov and Rubtsov face charges for using fraudulent information to register those domains. Meanwhile, FBI agents in Oklahoma discovered that many routers—in both homes and businesses—had been infected with malware without their owners having the slightest clue.
During the investigation, it was found that nearly a thousand different devices connected each week to command-and-control servers located in Turkey. Most of these compromised devices were in the United States, although many were also identified in Canada and Ecuador.
The botnet was highly adaptable: it accepted cryptocurrency payments and was designed to infect IoT devices and SOHO (small office/home office) routers. The malware specifically targeted outdated devices that no longer receive support, as they are easier to attack and often have remote administration enabled by default.
What’s particularly concerning is how stealthy the malware was—only about 10% of the malicious files were flagged as dangerous by common tools like VirusTotal. This gave the attackers a major advantage, allowing them to easily evade network monitoring systems.
The business model was straightforward: once a device was infected, it connected to a control network made up of multiple servers, primarily using port 80. One of these servers even used port 1443 over UDP, likely to store stolen data. The botnet offered a “proxy rental” service where clients paid for access to IP addresses for 24-hour periods. There was no identity verification or oversight—anyone could gain access and use the connection for any purpose.
What Was It Used For? The infected proxies were used for a wide range of illegal activities: ad fraud, DDoS attacks, brute-force attempts to infiltrate other systems, and of course, to cover their tracks while stealing data from individuals and businesses.
Read more: What is Network Security?
Services like AnyProxy and 5Socks pose a serious threat to internet security. They act as a camouflage layer for cybercriminals, allowing them to hide behind legitimate IP addresses and making it extremely difficult to trace their activities. The concerning part is that thousands of old and vulnerable devices are still in use. Additionally, with the rapid growth of the Internet of Things (IoT), attackers now have more opportunities than ever.
When analyzing similar cases such as NSOCKS and Faceless, a clear pattern emerges: multiple criminal groups exploit the open access of these devices and openly advertise them on underground forums as if they were legitimate services.
Last week, the FBI issued a FLASH security alert regarding 5Socks and AnyProxy. In the alert, they warned that attackers are targeting routers that have reached the end of their life (meaning they no longer receive updates or security patches), and using them to install malware and build botnets. The agency recommends replacing these devices or, at the very least, disabling remote access and rebooting them to disrupt any persistent connections.
The problem with these “EOL” (end-of-life) routers is that their lack of support leaves security holes open, making them ideal targets. Cybercriminals exploit them to load malware, take full control of the devices, and make configuration changes that allow them to remain undetected.
According to the alert, even state-sponsored actors linked to the Chinese government have exploited these vulnerabilities to build botnets used in attacks against critical infrastructure—especially in the United States.
Once a device is infected, it becomes part of the botnet and starts functioning as a proxy for paying clients. The malware maintains regular contact (every 60 seconds or up to every five minutes) ensuring it remains accessible at all times. Moreover, if remote access is enabled, attackers can directly access the device, even if it’s password-protected.