Introduction
A sophisticated criminal proxy network has been exploiting outdated Internet of Things (IoT) and end-of-life (EoL) devices for over a year. This network [1] [2] [7] [10], primarily based in Turkey [10], has been leveraging vulnerable models from manufacturers like Linksys and Cisco to facilitate a wide range of malicious activities. Despite efforts to disrupt its operations, the network continues to pose a significant threat to internet security.
Description
A sophisticated criminal proxy network has been tracked for over a year, exploiting thousands of outdated Internet of Things (IoT) and end-of-life (EoL) devices [5] [10], including vulnerable models from manufacturers like Linksys and Cisco. This network [1] [2] [7] [10], primarily based in Turkey [10], has maintained an average of 1,000 unique bots communicating weekly with its command-and-control (C2) infrastructure [2] [3], with a significant portion of the infected devices located in the United States, followed by Canada and Ecuador [2] [3]. The botnet operators charge users monthly fees, amassing over $46 million since 2004 by selling access to compromised routers [7]. They require cryptocurrency for payment and allow users to connect to proxies without authentication [2], facilitating a wide range of malicious activities [2], including ad fraud [2], brute-force attacks [4] [6], data theft [4], ransomware campaigns [1], and DDoS operations [4].
Infected devices become part of a shadow network of proxies, complicating detection efforts due to the network’s design, which specifically targets unpatched and unsupported IoT and small office/home office (SOHO) devices. Only about 10% of these proxies are flagged as malicious by tools like VirusTotal [2] [10]. The network claims to maintain over 7,000 proxies daily [2], although telemetry suggests the actual number of active proxies is lower [2]. The exploitation of unpatched or EoL devices, which are often beyond vendor support and cannot be secured [2], contributes to the persistence of this threat.
Newly infected devices connect to a Turkish-based C2 infrastructure consisting of five servers [2], with four communicating on HTTP port 80 and one using UDP on port 1443 for data collection. Proxy details provided to buyers change daily [4], and the operators conduct deny-list checks to evade common monitoring tools [5], further complicating detection efforts [2] [5]. The ongoing adoption of IoT technology and the presence of numerous EoL devices provide a vast pool of targets for cybercriminals.
Recent disruptions by US and Dutch law enforcement, part of “Operation Moonlander,” have led to the seizure and shutdown of two services [9], Anyproxy and 5Socks [3] [8] [9], which provided a botnet of hacked internet-connected devices [9], including routers [3] [8] [9] [10], to cybercriminals [2] [4] [6] [9]. Four foreign nationals [8], including Russian nationals Alexey Viktorovich Chertkov [3] [8], Kirill Vladimirovich Morozov [3] [8] [9], and Aleksandr Aleksandrovich Shishkin [3] [8] [9], along with Kazakhstani national Dmitriy Rubtsov [3] [8], have been indicted for conspiracy and damage to protected computers related to the operation of these services. The botnets reportedly generated significant revenue from subscription fees ranging from $9.95 to $110 per month. The indictment revealed that the conspirators targeted older models of wireless internet routers with known vulnerabilities [9], compromising thousands of devices [9]. The botnet was marketed as a residential proxy service, allowing subscribers’ internet traffic to appear as if it originated from the compromised devices [9], which is often used by cybercriminals to maintain anonymity during illegal activities [9]. Chertkov and Rubtsov face additional charges for falsely registering domain names used in these crimes [8]. The FBI’s Internet Crime Complaint Center (IC3) has issued warnings about cybercriminal proxy services exploiting EoL routers compromised with TheMoon malware [6], which scans for vulnerable routers to spread the infection and allows the installation of proxy software [6].
Proxy services pose a significant threat to internet security by enabling malicious actors to operate behind legitimate residential IP addresses [2] [3], making detection difficult [2]. Threat actors [1] [4], including state-sponsored groups from China [1], exploit known vulnerabilities in routers with pre-installed remote management software [1], gaining administrative access by bypassing authentication methods and maintaining persistent control over the compromised devices [1]. Research on similar botnets indicates that criminal groups often exploit open access policies marketed on underground forums [2]. Efforts to disrupt such networks continue [2], with collaboration among law enforcement agencies and organizations like Lumen’s Black Lotus Labs, which has successfully null-routed traffic to and from known C2 servers during “Operation Moonlander,” effectively disrupting the botnet’s operations. Recommendations for prevention include monitoring for abnormal login attempts from residential IPs [10], blocking known open proxy addresses [10], and replacing EoL devices while ensuring routers are updated and secured [10]. For consumers [5], best practices involve rebooting routers [5], applying security updates [5], and securing management interfaces [5].
Conclusion
The ongoing threat posed by criminal proxy networks exploiting IoT and EoL devices underscores the need for vigilant cybersecurity practices. Law enforcement efforts [10], such as “Operation Moonlander,” demonstrate the potential for disrupting these networks, but continuous collaboration and proactive measures are essential. Organizations and consumers must prioritize updating and securing devices to mitigate risks, while ongoing research and monitoring are crucial to staying ahead of evolving cyber threats.
References
[1] https://www.csoonline.com/article/3982368/fbi-warns-that-end-of-life-devices-are-being-actively-targeted-by-threat-actors.html
[2] https://blog.lumen.com/black-lotus-labs-helps-demolish-major-criminal-proxy-network/
[3] https://www.itpro.com/security/fbi-takes-down-botnet-exploiting-aging-routers
[4] https://securityonline.info/shadowy-iot-army-decades-old-proxy-botnet-exposed-and-crippled/
[5] https://cybersecuritynews.com/20-years-old-proxy-botnet-network-dismantled/
[6] https://www.helpnetsecurity.com/2025/05/12/law-enforcement-takes-down-proxy-botnets-5socks-anyproxy-used-by-criminals/
[7] https://www.hendryadrian.com/breaking-7000-device-proxy-botnet-using-iot-eol-systems-dismantled-in-u-s-dutch-operation/
[8] https://www.justice.gov/usao-ndok/pr/botnet-dismantled-international-operation-russian-and-kazakhstani-administrators
[9] https://techcrunch.com/2025/05/09/fbi-and-dutch-police-seize-and-shut-down-botnet-of-hacked-routers/
[10] https://www.infosecurity-magazine.com/news/proxy-network-infects-iot-devices/
