A coordinated international law enforcement operation, dubbed “Operation Moonlander,” has successfully dismantled two major proxy services, Anyproxy and 5Socks, which were accused of orchestrating a global botnet of thousands of compromised routers. The FBI, Dutch National Police, and the U.S. Department of Justice collaborated to seize the domains, while U.S. prosecutors announced the indictment of four individuals behind the scheme.
The Indictment: Targeting Vulnerable Infrastructure
On Friday, U.S. authorities officially charged three Russian nationals—Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin—alongside Kazakhstan national Dmitriy Rubtsov. The defendants are accused of exploiting known vulnerabilities in older wireless router models to hijack thousands of devices worldwide.
By seizing control of these routers, the operators converted them into a massive proxy network. This infrastructure was then marketed to cybercriminals as a “residential proxy service,” allowing users to mask their true IP addresses and appear as legitimate home users to bypass security filters and geoblocking.
A Multi-Million Dollar Cybercrime Enterprise
According to the Department of Justice, the operation—which had been active since 2004—generated over $46 million in illicit revenue. The unsealed indictment reveals that the conspirators leveraged residential IP addresses to provide high levels of anonymity, making it significantly harder for security services to detect malicious traffic.
The services, accessible through their respective websites, were heavily promoted on cybercriminal forums. Researchers from Black Lotus Labs, who assisted authorities in tracking the network, noted that the botnet was primarily composed of “end-of-life” routers, with an average of 1,000 active proxies across more than 80 countries each week.
Impact and Scope of the Botnet
The botnet was a hub for various forms of digital abuse, including:
- Large-scale ad fraud
- Password spraying attacks
- Distributed Denial-of-Service (DDoS) campaigns
- Financial fraud
Riley Kilmer, co-founder of the proxy-tracking firm Spur, highlighted that while the network was smaller compared to other criminal operations, its utility for financial fraud made it a significant threat. In a published report, Black Lotus Labs confirmed that Anyproxy and 5Socks operated as a single, unified pool of proxies under the same management.
As of the time of the operation, the FBI, DOJ, and Dutch police have remained tight-lipped regarding further details of the investigation, but the shutdown marks a significant blow to the ecosystem of residential proxy services used for criminal anonymity.