US seizes Anyproxy, 5socks botnets and indicts alleged administrators
Federal authorities seized two domains and indicted four foreign individuals for alleged involvement in a long-running botnet service that infected older wireless internet routers, the Justice Department said Friday.
The malware created for the botnet allowed infected routers to be reconfigured, which granted unauthorized access to third parties and made the routers available for sale as proxy servers on Anyproxy.net and 5socks.net, according to law enforcement officials. Both domains, which were managed by a company headquartered in Virginia and hosted on servers worldwide, now render seizure notices under an effort the DOJ and FBI dubbed “Operation Moonlander.”
The 5socks.net website claimed to be in operation for over 20 years and had more than 7,000 proxies for sale worldwide for a monthly subscription of $9.95 to $110 per month, according to prosecutors. The botnet’s overseas operations were also seized and disabled by law enforcement agencies in the Netherlands and Thailand.
Authorities also indicted the botnet’s alleged administrators and charged them with conspiracy and damage to protected computers, for conspiring with others to maintain, operate and profit from the botnet services known as Anyproxy and 5socks.
The DOJ said the defendants amassed more than $46 million from selling access to infected routers that were part of the Anyproxy botnet.
The accused include three Russian nationals — Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr Aleksandrovich Shishkin, 36 — and Kazakhstani national Dmitriy Rubtsov, 38. Chertkov and Rubtsov are also charged with false registration of a domain name.
The accused men have not been arrested and their whereabouts are unknown. Russia and Kazakhstan don’t have extradition treaties with the U.S. government.
Lumen Technologies’ Black Lotus Labs, which assisted the DOJ and Dutch National Police in tracking the Anyproxy and 5socks botnets, said it discovered thousands of infected IoT and end-of-life devices over the past year.
“We discovered a weekly average of 1,000 unique bots in contact with the command-and-control infrastructure located in Turkey,” Black Lotus Labs researchers said in a blog post released Friday. Most of the botnets’ victims are in the United States, researchers added.
The domain seizure warrant was unsealed in the U.S. District Court for the Eastern District of Virginia, and indictment was unsealed in the U.S. District Court for the Northern District of Oklahoma. The FBI Oklahoma City Cyber Task Force discovered business and residential routers in Oklahoma had malware installed without the users’ knowledge and are continuing to investigate the case.
