Operation Moonlander: The Dismantling of a Decades-Long Botnet Empire

Breached Company

Breached Company

4 min read
Operation Moonlander: The Dismantling of a Decades-Long Botnet Empire
Photo by Sanni Sahil / Unsplash

In a significant victory against cybercrime, law enforcement agencies from the United States, the Netherlands, and Thailand have successfully dismantled a massive botnet operation that had been active for nearly two decades. Codenamed "Operation Moonlander," this international effort led to the shutdown of two notorious proxy services—Anyproxy and 5socks—and the indictment of four individuals accused of operating the criminal network that generated over $46 million in illicit profits.

Botnet Dismantled in International Operation, Russian and Kazakhstani Administrators Indicted
A domain seizure warrant was unsealed, along with an indictment charging four foreign national hackers with conspiracy and other computer crimes, announced U.S. Attorney Clint Johnson.
DOJ USAO Northern District of Oklahoma logo

The Accused Perpetrators

The U.S. Department of Justice announced charges against four foreign nationals:

  • Alexey Viktorovich Chertkov, 37 (Russian national)
  • Kirill Vladimirovich Morozov, 41 (Russian national)
  • Aleksandr Aleksandrovich Shishkin, 36 (Russian national)
  • Dmitriy Rubtsov, 38 (Kazakhstani national)

All four individuals have been charged with Conspiracy and Damage to Protected Computers for their roles in maintaining, operating, and profiting from the botnet services. Additionally, Chertkov and Rubtsov face charges of False Registration of a Domain Name for allegedly providing false identification information when registering the domains used in the operation.

How the Botnet Operated

The criminal operation centered around a sophisticated scheme involving the infection of thousands of older-model wireless internet routers worldwide. The perpetrators exploited known vulnerabilities in these devices to install malware without the owners' knowledge or consent.

The malware, identified as a variant of "TheMoon," allowed the criminals to reconfigure compromised routers, granting unauthorized access to third parties. Once infected, these devices were integrated into a botnet network and offered for sale as proxy servers through the Anyproxy.net and 5socks.net websites.

TheMoon malware, first discovered in 2014, works by scanning for open ports on vulnerable routers and sending commands to exploit security weaknesses. According to the FBI, "TheMoon does not require a password to infect routers; it scans for open ports and sends a command to a vulnerable script." Once installed, the malware contacts command-and-control (C2) servers for instructions, which can include commands to scan for and infect other vulnerable devices, thus expanding the botnet network.

The Business Model

The criminals marketed their services as legitimate proxy providers, offering customers access to thousands of compromised devices for monthly subscription fees ranging from $9.95 to $110. The 5socks.net website advertised "more than 7,000 online proxies daily" spanning various countries and states across the U.S.

When users purchased access to these proxy services, they received IP addresses and port combinations that routed their internet traffic through infected devices. This arrangement allowed cybercriminals to mask their true location and identity while conducting various illicit activities online, including financial fraud, credential theft, distributed denial-of-service (DDoS) attacks, and other cybercrimes.

According to court documents, the operation dates back to at least 2004, as indicated by the 5socks.net slogan "Working since 2004!" This extraordinary longevity in the cybercriminal ecosystem allowed the perpetrators to amass over $46 million from selling access to the infected routers.

The Investigation and Takedown

The investigation was spearheaded by the FBI's Oklahoma City Cyber Task Force after they discovered that business and residential routers in Oklahoma had been infected with malware without the users' knowledge. As the investigation progressed, it expanded to include multiple jurisdictions and international partners.

The international operation involved coordination between:

  • The U.S. Department of Justice
  • The FBI
  • The U.S. Attorney's Office for the Northern District of Oklahoma
  • The Eastern District of Virginia
  • The Dutch National Police – Amsterdam Region
  • The Netherlands Public Prosecution Service (Openbaar Ministerie)
  • The Royal Thai Police

Security researchers from private sector companies also played crucial roles in the investigation, including Lumen Technologies' Black Lotus Labs and the proxy detection firm Spur.

The Impact and Scope

The Anyproxy/5socks botnet primarily targeted end-of-life (EoL) routers that no longer received security updates from manufacturers. The list of affected devices included older models from manufacturers like Linksys and Cisco.

Ryan English, a researcher at Black Lotus Labs, confirmed that both Anyproxy and 5socks represented "the same pool of proxies run by the same operators, just under a different name," with "the bulk of the botnet were routers, all kinds of end-of-life make and models." According to Lumen's global network visibility data, the botnet maintained "an average of about 1,000 weekly active proxies in over 80 countries."

The dismantling of this botnet represents a significant blow to the cybercriminal ecosystem that relied on these proxy services for anonymity while conducting illegal activities.

Protecting Your Devices

The FBI has issued recommendations for individuals and organizations to protect their devices from similar threats:

  1. Replace end-of-life routers with newer models that receive regular security updates
  2. Apply security patches and firmware updates promptly
  3. Disable remote administration access on routers when not needed
  4. Use strong, unique passwords for router administration
  5. Regularly reboot routers to help clear potential malware
  6. Monitor for signs of compromise such as network connectivity disruptions, overheating, performance degradation, or unexpected configuration changes

The Broader Context

Operation Moonlander adds to a growing list of successful botnet takedowns by international law enforcement. In recent years, authorities have dismantled other major botnets including RSOCKS (June 2022), Cyclops Blink (April 2022), and the 911 S5 botnet (February 2025).

These operations demonstrate the increasing effectiveness of international cooperation in combating cybercrime networks that operate across national boundaries. However, they also highlight the persistent threat posed by vulnerable internet-connected devices and the importance of proper security practices by both manufacturers and users.

The case serves as a stark reminder that cybercriminals often target the weakest links in our digital infrastructure—particularly outdated devices that no longer receive security updates. As the number of Internet of Things (IoT) devices continues to grow exponentially, this investigation underscores the critical importance of maintaining device security throughout the entire product lifecycle.

This article was compiled based on information from the U.S. Department of Justice, FBI public advisories, and cybersecurity research reports concerning Operation Moonlander and the dismantling of the Anyproxy and 5socks botnet services.

Read more