American and Dutch intelligence agencies have uncovered a large botnet based on obsolete routers. The services Anyproxy.net and 5socks.net were selling access to infected devices in over 130 countries.
American and Dutch intelligence agencies have uncovered a large botnet based on obsolete routers. The services Anyproxy.net and 5socks.net were selling access to infected devices in over 130 countries.
The U.S. Department of Justice’s Office of Cybersecurity announced the blocking of two platforms — Anyproxy.net and 5socks.net — through which attackers rented out infected routers as proxies. Among the defendants in the case are three Russians: Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Alexander Alexandrovich Shishkin, and a citizen of Kazakhstan Dmitry Rubtsov. Chertkov and Rubtsov are additionally accused of false domain registration.
The investigation found that the sites controlled by the accused used malicious software to infect outdated router models. Among them were Linksys E1200, E2500, WRT320N, E4200, WRT610N and others. Each of these devices was transformed into an anonymous proxy server. The services cost from $9.95 to $110 per month.
At its peak, 5socks.net advertised over 7,000 proxies worldwide. The FBI estimates that the scheme generated over $46 million in revenue. The platforms had been operating since at least 2004, as evidenced by 5socks’ advertising slogan, «Working since 2004!»
The operation involved the Eastern District of Virginia Attorney General’s Office, the Dutch National Police and Prosecutor’s Office, the Royal Thai Police, and analysts from Lumen (Black Lotus Labs). The FBI released a full list of 13 vulnerable models, urging users to check their networks and change their equipment.
End-of-life (EOL) routers are network devices that the manufacturer has officially removed from support: they no longer receive firmware updates, security patches, and technical support. Examples of such models include the Linksys E1000, E2500, WRT320N, and others.
These devices often remain in use at home or in small offices for years, despite having known vulnerabilities. Due to the lack of updates and weak security, they are easy to hack, including through exploits or brute-forcing standard passwords.
In botnets, such routers are used as anonymous proxy servers or nodes for malicious infrastructure — for example, to hide traffic, DDoS attacks, send spam, or access banned sites.
Attackers infect routers with special malware that allows them to control the device remotely. Access to this infected device is then often sold on shady platforms — this is how Anyproxy.net and 5socks.net worked.
❗ The FBI recommends: If you are using an older router model, check if it is still supported by the manufacturer. If not, replace it or disable the remote administration feature to avoid becoming part of a botnet.
By the way, our news feed recently reported that 20% of Russian cyberattacks are directed at Ukraine. This was announced by Serhiy Prokopenko, head of the Department for the Support of the National Cybersecurity Center, at the International Cybersecurity Forum.
https://upstaff.com/hire/react/