Cybercrime Ring Exploited Outdated Routers to Funnel Malicious Traffic

The FBI has disrupted a massive proxy-for-hire botnet, indicting four foreign nationals accused of running the long-running cybercrime network. The operation, code-named “Operation Moonlander,” targeted outdated routers from Linksys, Ericsson, and Cisco, which were compromised and made available for sale as part of a criminal proxy network.

The botnet, which provided anonymity to malicious users, enabled a range of cybercrime, including distributed denial of service (DDoS) attacks. According to federal investigators and security researchers, the botnet provided access to over 7,000 residential proxies, which were marketed through the 5socks and Anyproxy domains. The operators charged between $9.95 and $110 per month for access to the proxies, with the website boasting that it had been “Working since 2004!”

The FBI warned that the aging routers, which were long past their update window, were being actively targeted by cybercriminals. The agency issued a FLASH bulletin on Wednesday, warning users to replace their outdated routers, which were being exploited to funnel malicious traffic.

The indictments, unsealed on Friday, named three Russian nationals – Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, and Aleksandr Aleksandrovich Shishkin, 36 – and a Kazakhstani associate, Dmitriy Rubtsov, 38. Chertkov and Rubtsov were also charged with providing false registration information when signing up the domains used to operate the proxy services.

The operation was a result of a combined effort between European and US law enforcement, as well as with support from Lumen’s Black Lotus Labs. The botnet operators exploited outdated routers and maintained a relatively low operational footprint to avoid detection.

“The botnet operators claim that they maintain a daily population of over 7,000 proxies,” said a spokesperson for Black Lotus Labs. “However, we believe their true bot population is less than advertised to potential users. Our telemetry shows an average of about 1,000 weekly active proxies in over 80 countries.”