FBI and Dutch Police Crack Down on Botnet of Hacked Routers

As part of a joint international law enforcement operation, the FBI and Dutch police have successfully shut down a botnet of hacked internet-connected devices, including routers. The action, dubbed "Operation Moonlander," involved cooperation from the U.S. Attorney's Office for the Northern District of Oklahoma and the U.S. Department of Justice.

The investigation targeted two services, Anyproxy and 5Socks, which were accused of providing access to a botnet of hacked routers to cybercriminals. The websites of these services were replaced with notices stating that they had been seized by the FBI as part of the operation.

A Botnet Built on Hacked Routers

According to the indictment, four individuals - Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin, and Dmitriy Rubtsov - were behind the operation. These individuals, who are all believed to reside outside of the United States, targeted older models of wireless internet routers that had known vulnerabilities.

By compromising these devices, the botnet was able to infect thousands of vulnerable internet-connected devices, effectively turning them into a network of compromised devices that were used by cybercriminals. The botnet subscribers' internet traffic appeared to come from the IP addresses assigned to the compromised devices rather than the IP addresses assigned to the devices that the subscribers were actually using.

A Scheme to Sell Access to the Botnet

According to the indictment, the four individuals marketed the Anyproxy botnet as a residential proxy service on social media and online discussion forums, including cybercriminal forums. This was done to provide anonymity for malicious actors when committing cybercrimes.

A Look at the Numbers

The investigation revealed that the four individuals had made more than $46 million from selling access to the botnet. The botnet was designed to offer anonymity for malicious actors online, and it is estimated that there were around 1,000 weekly active proxies in over 80 countries.

Black Lotus Labs and Lumen's Role

Black Lotus Labs, a team of researchers housed within cybersecurity firm Lumen, helped the authorities track the proxy networks. According to Ryan English, a researcher at Black Lotus Labs, the two services were used for several types of abuse, including password spraying, launching distributed denial-of-service (DDoS) attacks, and ad fraud.

A Shared Network

English told TechCrunch that he and his colleagues are confident that Anyproxy and 5Socks are "the same pool of proxies run by the same operators, just under a different name." This suggests that there was a shared network of compromised devices used by both services.

A Warning for Users

The shutdown of these services serves as a reminder to users to take steps to protect their own internet-connected devices from hacking. The incident highlights the importance of staying vigilant and taking proactive measures to secure your online activity.