In a coordinated international law enforcement operation known as “Operation Moonlander,” U.S. and Dutch authorities have dismantled a substantial botnet comprising compromised internet-connected devices, predominantly routers. The action also included shutting down two proxy service websites, Anyproxy and 5Socks, both alleged to have provided cybercriminals with access to the illicit botnet.
Following seizure notices displayed on Wednesday, federal prosecutors in the United States announced criminal charges on Friday against four individuals accused of operating the illegal network. The indicted suspects include three Russian nationals—Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin—and Dmitriy Rubtsov from Kazakhstan. All four reside outside the U.S. and remain fugitives at large.
According to court documents, the perpetrators specifically targeted older router models with publicly known vulnerabilities, successfully compromising thousands of devices globally. Once infiltrated, these devices formed a sophisticated proxy network marketed as legitimate residential proxies through Anyproxy and 5Socks since approximately 2004.
Residential proxy networks themselves are not inherently illicit—often employed legitimately to circumvent censorship or access region-restricted services. However, authorities indicate this botnet was deliberately composed of devices taken over without the knowledge or consent of their legitimate owners.
The indictment explains how cybercriminal customers leveraged the proxy services to obscure their actual location, making their digital activity appear as originating from innocent victims’ residential routers rather than their true, malicious source. The services were actively promoted on social media and online forums frequented by cybercriminals, effectively serving as anonymity tools facilitating numerous illegal activities—from monitoring compromises and ad fraud to credential attacks and orchestrating distributed denial-of-service (DDoS) attacks.
Authorities estimate that the four indicted individuals earned in excess of $46 million through sales of proxy access on the two sites. Cybersecurity researchers, including analysts at Black Lotus Labs within security firm Lumen and web proxy detection company Spur, provided key support in tracing and analyzing the botnet infrastructure leading up to its seizure.
Ryan English from Black Lotus Labs stated that investigators had strong evidence confirming Anyproxy and 5Socks represented the same underlying criminal enterprise, operated by the same individuals and exploiting similar types of vulnerable routers. His team’s analysis identified the operation’s global scale, reporting an average of approximately 1,000 active infected devices per week distributed across more than 80 countries.
Cybersecurity firm Spur separately noted the proxy network, though modest compared to other criminal proxy services, had increasingly become a preferred tool for financial fraud.
The FBI, the U.S. Department of Justice, and the Dutch National Police have declined to comment at this time on the ongoing aspects of the case.
