FBI dismantles 20-year Anyproxy botnet behind $46M cybercrime empire. Learn risks of end-of-life routers.

Continue reading
In a landmark global operation, U.S. and international authorities have dismantled one of the longest-running cybercrime networks in history. Dubbed Operation Moonlander, the takedown targeted the Anyproxy and 5socks botnets, which infected thousands of ageing routers over two decades to fuel a $46 million illicit proxy service empire. The U.S. Department of Justice (DOJ) unsealed indictments against four individuals—three Russians and one Kazakhstani—exposing their roles in operating malware-laden networks that enabled cyberattacks, ad fraud, and cryptocurrency theft worldwide.
A 20-Year Cybercrime Legacy Court documents reveal the botnet began infecting routers as early as 2004, exploiting devices from brands like Linksys and Cisco to create sprawling proxy networks. These proxies, marketed on Anyproxy.net and 5socks.net, were sold to cybercriminals for $9.95 to $110 monthly, offering anonymity for illegal activities ranging from DDoS attacks to credential brute-forcing.
How the Botnet Operated
Operation Moonlander united the U.S. DOJ, Dutch National Police, Royal Thai Police, and analysts from Lumen Technologies’ Black Lotus Labs. Key actions included:
The group faces charges of conspiracy, damaging protected computers, and domain fraud.
The FBI’s latest advisory warns that the botnet relied on a new variant of TheMoon malware, which:
Affected Devices
| Brand | Models |
|---|---|
| Linksys | E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, WRT320N, WRT310N |
| Cisco | M10, Cradlepoint E100 |
Residential IPs are prized for their ability to mimic legitimate traffic. According to Black Lotus Labs: > “Proxies like Anyproxy help criminals bypass fraud detection systems, making ad scams, credential stuffing, and data theft harder to trace.”
Documented Misuses
The FBI’s public service announcement urges users and businesses to:
Quote from the DOJ: > “This operation disrupts a critical tool for cybercriminals. Residential proxies are not just a privacy threat—they're a gateway to global harm."
While Operation Moonlander marks a victory, experts warn botnets will adapt. Black Lotus Labs notes: > “Threat actors increasingly target IoT devices. Vigilance and firmware updates are non-negotiable.”

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation