Sp
Global Law Enforcement Shatters 20-Year-Old Botnet 'Shadow Empire'—Criminals Rak...
In a landmark global operation, U.S. and international authorities have dismantled one of the longest-running cybercrime networks in history. Dubbed **Operation Moonlander**, the takedown targeted the **Anyproxy** and **5socks** botnets, which infected thousands of aging routers over two decades to fuel a $46 million illicit proxy service empire. The U.S. Department of Justice (DOJ) unsealed indictments against **four individuals**—three Russians and one Kazakhstani—exposing their roles in operating malware-laden networks that enabled cyberattacks, ad fraud, and cryptocurrency theft worldwide.
---
### **The Rise and Fall of Anyproxy & 5socks**
**A 20-Year Cybercrime Legacy**
Court documents reveal the botnet began infecting routers as early as **2004**, exploiting devices from brands like **Linksys** and **Cisco** to create sprawling proxy networks. These proxies, marketed on **Anyproxy.net** and **5socks.net**, were sold to cybercriminals for $9.95 to $110 monthly, offering anonymity for illegal activities ranging from **DDoS attacks** to **credential brute-forcing**.
**How the Botnet Operated**
- **Targeting Vulnerable Hardware**: The hackers exploited **end-of-life (EoL) routers**—devices no longer receiving security updates—using a variant of **TheMoon malware**.
- **Proxy Networks for Hire**: Compromised routers were repurposed into “residential proxies,” masking malicious traffic as legitimate user activity.
- **Evading Detection**: Only **10% of infected IPs** triggered alerts on platforms like VirusTotal, making the networks ideal for high-risk criminal operations.
---
### **International Collaboration: A Global Takedown**
Operation Moonlander united the **U.S. DOJ**, **Dutch National Police**, **Royal Thai Police**, and analysts from **Lumen Technologies’ Black Lotus Labs**. Key actions included:
1. **Seizing Domains**: Anyproxy.net and 5socks.net now display law enforcement seizure banners (see image below).
2. **Charging Suspects**:
- **Alexey Chertkov**, **Kirill Morozov**, and **Aleksandr Shishkin** (Russian nationals)
- **Dmitriy Rubtsov** (Kazakhstani national)
The group faces charges of **conspiracy**, **damaging protected computers**, and **domain fraud**.
**Infrastructure Insights**
- Servers hosted in **Russia** (via JCS Fedora Communications), the **Netherlands**, and **Türkiye** supported the botnet.
- Payments were processed in **cryptocurrency**, complicating financial tracking.
---
### **TheMoon Malware: A Silent Router Killer**
The FBI’s latest advisory warns that the botnet relied on a **new variant of TheMoon malware**, which:
- Exploited routers with **remote administration features enabled**.
- Installed covert proxies to facilitate **cybercrime-for-hire services**.
**Affected Devices**
| **Brand** | **Models** |
|------------------|---------------------------------------------------------------------------|
| Linksys | E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, WRT320N, WRT310N |
| Cisco | M10, Cradlepoint E100 |
---
### **Why Residential Proxies Are a Cybercrime Goldmine**
Residential IPs are prized for their ability to mimic legitimate traffic. According to **Black Lotus Labs**:
> *“Proxies like Anyproxy help criminals bypass fraud detection systems, making ad scams, credential stuffing, and data theft harder to trace.”*
**Documented Misuses**
- **Ad Fraud**: Generating fake clicks to siphon advertising revenue.
- **DDoS Attacks**: Masking the origin of disruptive traffic floods.
- **Data Exploitation**: Harvesting sensitive information from compromised networks.
---
### **FBI Warning: Secure Your Routers Now**
The FBI’s **public service announcement** urges users and businesses to:
1. **Replace EoL Routers**: Upgrade devices no longer supported by manufacturers.
2. **Disable Remote Administration**: Limit exposure to malware like TheMoon.
3. **Monitor Network Traffic**: Use tools to detect unusual proxy activity.
**Quote from the DOJ**:
> *“This operation disrupts a critical tool for cybercriminals. Residential proxies are not just a privacy threat—they’re a gateway to global harm.”*
---
### **Broader Implications and Lessons Learned**
- **The Cost of Outdated Tech**: The botnet thrived on neglected hardware, underscoring risks of using unsupported devices.
- **Global Jurisdiction Challenges**: Prosecuting foreign nationals (e.g., Russian suspects) highlights legal hurdles in cybercrime enforcement.
- **Public-Private Partnerships**: Collaboration with firms like **Lumen** proved vital in mapping the botnet’s infrastructure.
---
### **What’s Next?**
While Operation Moonlander marks a victory, experts warn botnets will adapt. **Black Lotus Labs** notes:
> *“Threat actors increasingly target IoT devices. Vigilance and firmware updates are non-negotiable.”*
**SEO Keywords**: Operation Moonlander, Anyproxy botnet, 5socks, FBI cybercrime, TheMoon malware, residential proxies, end-of-life routers, DDoS attacks, cybercrime-for-hire, Lumen Black Lotus Labs
-
