Introduction
The increasing vulnerability of outdated edge devices, particularly routers from manufacturers such as Linksys, Cisco [2] [3], and Cradlepoint [2], has become a significant concern. These devices, which no longer receive security updates [8], are being targeted by cybercriminals [6], including state-sponsored groups [2]. This situation poses a substantial threat to network security and critical infrastructure.
Description
Edge devices [1] [4] [7] [8] [10], particularly obsolete routers from manufacturers like Linksys, Cisco [2] [3], and Cradlepoint that no longer receive security updates [2], are increasingly targeted by cyber threat actors [6] [8]. A recent FBI report highlights a campaign exploiting known vulnerabilities in these end-of-life (EOL) routers [8], especially those manufactured in 2010 or earlier [5], which often come with pre-installed remote management software [6] [7]. This software contains vulnerabilities that allow attackers to install malware [7], create botnets [4] [6] [7] [9] [10], and sell proxy services to other criminal enterprises [7]. Cybercriminals [2] [5] [6] [8], including state-sponsored groups from China and recently identified individuals from Russia and Kazakhstan, utilize publicly available exploits to inject persistent malware [2], such as variants of TheMoon, into these devices [1] [4] [7] [10]. Once compromised [1] [2] [3] [4] [5] [6] [7] [9], the routers are integrated into residential proxy botnets [2], allowing attackers to obscure their origins while conducting malicious activities [2], including data theft [3] [6], spam distribution [6], ransomware campaigns [2], and Distributed Denial of Service (DDoS) attacks against other networks [7].
The FBI has issued a FLASH alert regarding the malicious services of Anyproxy and 5Socks [4] [10], which specifically target EOL routers. These platforms facilitate the sale of access to compromised devices, which are particularly vulnerable due to the lack of security updates and exposed remote management features. The alert emphasizes that Chinese cyber actors [10], along with the recently charged individuals, have leveraged these vulnerabilities to establish botnets capable of concealing intrusions into US critical infrastructure. Infected routers can be used in coordinated attacks or sold as proxies [4] [10], with the malware allowing threat actors to maintain persistent access and communicate with the devices every 60 seconds to five minutes [10]. Once attackers gain root access [1] [4], they can control the devices [7], make configuration changes [4], and intercept sensitive information [7], including login credentials and financial data [7].
A joint US-Dutch law enforcement operation has dismantled a botnet-for-hire that exploited thousands of these vulnerable routers [9]. The US Department of Justice (DOJ) announced the seizure of domains Anyproxy.net and 5socks.net [9], which were used to sell access to compromised routers [9]. An indictment has been unsealed against four foreign nationals [9], including three Russians [1], for their roles in operating the botnets [9], highlighting the international nature of this cybercrime. The botnet was established by infecting older-model wireless internet routers globally [9], enabling unauthorized access and allowing these routers to function as proxy servers for sale on the Anyproxy and 5socks platforms [9]. The 5socks.net website reportedly offered over 7,000 proxies for a subscription fee ranging from $9.95 to $110 per month [9], with the DOJ estimating that the defendants profited over $46 million from these activities [9].
The malware used in these attacks [2], known as TheMoon [3], has been known to infect routers since 2014 [2]. It spreads through internet-connected devices with remote access enabled [4] [10], allowing attackers to gain shell access even without password protection [10]. The malware utilizes a two-way handshake with a command and control (C2) server for regular check-ins and opens ports on the router to function as a proxy server [10]. Compromised routers can be leveraged for reconnaissance [2], network scans [2] [4], or as part of a private Tor network [2], effectively concealing the activities of threat actors from security tools and investigations [2]. Notably, only about 10% of the infected devices are detected as malicious by popular security tools [1], underscoring the stealthy nature of these attacks.
To mitigate these risks [2], the FBI advises users to identify vulnerable router models, including E1200 [4] [10], E2500 [4] [10], E1000 [4] [10], E4200 [4] [10], E1500 [4] [10], E300 [4] [10], E3200 [4] [10], WRT320N [4] [10], E1550 [4] [10], WRT610N [4] [10], E100 [4] [10], M10 [4] [10], and WRT310N [4] [10], and replace them with newer models that are still supported by their vendors [4] [10]. Alternatively [4] [10], users can reboot their devices and disable remote administration features to reduce exposure to significant cyber threats [2]. Law enforcement’s recent actions underscore the ongoing efforts to combat these cyber threats and protect users from exploitation.
Conclusion
The targeting of outdated routers by cybercriminals highlights the critical need for regular security updates and the replacement of obsolete devices. The FBI’s recommendations [3] [4] [10], including replacing vulnerable models and disabling remote administration [9], are essential steps in mitigating these threats. The international scope of these cybercrimes, as evidenced by the joint US-Dutch operation, underscores the global nature of cybersecurity challenges. Continued vigilance and proactive measures are necessary to safeguard networks and critical infrastructure from evolving cyber threats.
References
[1] https://itsecuritynewsbox.com/index.php/2025/05/10/operation-moonlander-dismantled-the-botnet-behind-anyproxy-and-5socks-cybercriminals-services/
[2] https://www.csoonline.com/article/3982368/fbi-warns-that-end-of-life-devices-are-being-actively-targeted-by-threat-actors.html
[3] https://uk.pcmag.com/wireless-routers/157928/still-use-one-of-these-old-routers-its-vulnerable-to-hackers-fbi-says
[4] https://securityaffairs.com/177648/cyber-crime/malware-targets-end-of-life-routers.html
[5] https://montgomerycountypolicereporter.com/fbi-cyber-criminal-proxy-services-exploiting-end-of-life-routers/
[6] https://www.usatoday.com/story/tech/2025/05/09/linksys-internet-routers-cyberattack-fbi/83537973007/
[7] https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-end-of-life-routers-cyberattacks
[8] https://www.infosecurity-magazine.com/news/fbi-cybercrime-obsolete-routers/
[9] https://thecyberexpress.com/end-of-life-routers-botnet-taken-down/
[10] https://itsecuritynewsbox.com/index.php/2025/05/09/cybercriminal-services-target-end-of-life-routers-fbi-warns/
