In a major victory against cybercrime, a coalition of international law enforcement agencies has dismantled a massive botnet network in an operation known as Operation Moonlander. The coordinated effort shut down two long-running proxy services—Anyproxy and 5Socks—accused of offering cybercriminals access to a botnet built from hacked internet-connected devices, primarily routers.
On Wednesday, visitors to the websites of Anyproxy and 5Socks were greeted with a seizure notice from the FBI. The message confirmed that both sites had been taken offline as part of Operation Moonlander, led by the FBI in collaboration with the Dutch National Police, the U.S. Attorney’s Office for the Northern District of Oklahoma, and the U.S. Department of Justice (DOJ).
Four Foreign Nationals Indicted for Cybercrime
Just days after the seizure, U.S. prosecutors announced the indictment of four individuals: Russians Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin, and Kazakhstan national Dmitriy Rubtsov. Authorities allege the group operated Anyproxy and 5Socks under the guise of legitimate residential proxy services while secretly using a botnet of compromised routers.
According to the DOJ, the accused hackers exploited known vulnerabilities in outdated wireless routers to gain unauthorized control of thousands of devices. Once compromised, these routers were turned into proxies and added to the botnet. The group then monetized the network by selling access through their proxy platforms, effectively allowing cybercriminals to anonymize their activities.
While residential proxy services themselves are not illegal, these particular networks allegedly stood out because they were built on illegally hacked devices. The resulting botnet allowed subscribers to route their internet traffic through legitimate residential IP addresses, making their activities much harder to trace.
Botnet Used for Financial Fraud, DDoS Attacks, and More
The indictment notes that the 5Socks service openly advertised access to the Anyproxy botnet on cybercrime forums and social media. The botnet proved attractive to threat actors seeking anonymity, especially since residential IP addresses are typically seen as less suspicious than commercial ones.
According to cybersecurity experts at Black Lotus Labs, the malicious network was used for various online abuses, including password spraying, distributed denial-of-service (DDoS) attacks, ad fraud, and other forms of cybercrime. Ryan English, a researcher at the lab, confirmed the services had been active for years and that they “offered anonymity for malicious actors online.”
In its analysis, Black Lotus Labs revealed the botnet had an average of around 1,000 active proxies per week across more than 80 countries. Most of the compromised devices were end-of-life routers that were no longer supported with security updates—making them easy targets for hackers.
Spur, a company that monitors online proxy services, also assisted in the investigation. Co-founder Riley Kilmer noted that while 5Socks wasn’t the largest network tracked, it had grown increasingly popular for financial fraud activities in recent years.
$46 Million Earned Through the Botnet
Prosecutors allege that the four accused individuals made over $46 million from their illegal operation. Despite their current locations outside the U.S., the indictments mark a strong message of accountability. The DOJ emphasized that even international cybercriminals can face justice when operating at this scale.
With Operation Moonlander, law enforcement has not only taken down two notorious services but also highlighted the growing threat of residential proxy abuse. The success of this action sets a precedent for future crackdowns on cybercriminal infrastructure built on hacked consumer devices.
As authorities continue to monitor for new threats, experts urge users to update or replace outdated hardware to prevent similar compromises. The FBI and DOJ have not disclosed whether further arrests or charges are expected, but investigations into related networks are likely ongoing.
