In a major international operation named Operation Moonlander, Dutch and U.S. law enforcement authorities have dismantled a massive proxy botnet powered by thousands of compromised Internet of Things (IoT) and end-of-life (EoL) devices. These hijacked devices were exploited to provide anonymity to cybercriminals through paid proxy services, enabling a wide range of illicit online activity.
The network was traced to two major services, anyproxy.net and 5socks.net- which allowed malicious actors to lease access to residential and business routers, many of which were unknowingly infected by their owners. With subscription costs ranging from $9.95 to $110 per month, this criminal operation had reportedly generated over $46 million.
The U.S. Department of Justice has charged four individuals, three Russian nationals and one Kazakhstani citizen, for orchestrating and profiting from the botnet infrastructure. These services have been operational since at least 2004, showing the longevity and profitability of cybercrime operations that operate quietly in the background.
How It Worked: TheMoon Malware and Exploited Devices
At the heart of the operation was TheMoon malware, a known threat since 2014. The malware targeted outdated routers using unpatched vulnerabilities, allowing the attackers to install proxy software. Once infected, these devices became part of a global botnet infrastructure, regularly communicating with command-and-control (C2) servers notably, several located in Turkey.
A key observation by Lumen Technologies’ Black Lotus Labs revealed that over 1,000 unique bots were active weekly, with the U.S. accounting for over half of these victims. Other affected regions included Canada and Ecuador. The infected devices were used for anonymity in criminal activities such as ad fraud, distributed denial-of-service (DDoS) attacks, brute-force attacks, and data exploitation.
One of the most alarming aspects of this botnet was that it exploited known vulnerabilities particularly in EoL devices that no longer receive manufacturer updates. Many of these devices were also found to lack authentication, making it easier for malicious actors to install and manage proxy services.
The Bigger Problem: Outdated Devices and IoT Growth
The incident serves as a stark reminder of the growing threat landscape as the number of connected devices continues to soar. Outdated, unsupported devices remain easy targets for cybercriminals. The situation is exacerbated by the lack of awareness among users, who often leave default settings unchanged or fail to update firmware, inadvertently aiding in the spread of such malware.
Infected devices often go unnoticed, as they continue to function normally while quietly participating in criminal proxy services. This makes it harder for traditional network monitoring tools to detect anomalies, particularly when malicious activity is masked behind residential IP addresses.
What Can Be Done?
To mitigate these threats, cybersecurity experts and agencies recommend:
- Regular firmware updates and replacing EoL devices.
- Rebooting routers frequently to disrupt persistent malware.
- Changing default credentials to strong, unique passwords.
- Implementing network-level security monitoring for unusual traffic patterns.
- Educating users and businesses on the risks of unpatched hardware.
The FBI also stresses the importance of maintaining awareness of known vulnerabilities and ensuring routers and IoT devices are not exposed directly to the internet without adequate protection.
Conclusion
Operation Moonlander highlights how cybercriminals continue to capitalize on neglected digital hygiene and outdated infrastructure. As IoT devices become more ubiquitous, they also become increasingly attractive targets for exploitation. The dismantling of the 5socks.net and anyproxy.net platforms is a victory, but it’s far from the end of this evolving threat. Organizations and individuals alike must prioritize proactive security practices to safeguard their networks and data.
About COE Security
At COE Security, we work with organizations in financial services, healthcare, retail, manufacturing, and government sectors to prevent exactly these types of threats from impacting critical infrastructure.
Through AI-powered threat detection, penetration testing, and secure software consulting, we help businesses identify vulnerabilities before attackers can exploit them. Our team ensures compliance with global regulations like GDPR, HIPAA, and PCI DSS, and supports clients with secure model validation to guard against malware like TheMoon.
With the rise in IoT adoption and continued usage of EoL devices in sectors like healthcare, retail, and manufacturing, COE Security provides tailored assessments and ongoing monitoring to mitigate botnet infiltration and prevent data compromise.
COE Security partners with organizations in financial services, healthcare, retail, manufacturing, and government to secure AI-powered systems and ensure compliance. Our offerings include:
- AI-enhanced threat detection and real-time monitoring
- Data governance aligned with GDPR, HIPAA, and PCI DSS
- Secure model validation to guard against adversarial attacks
- Customized training to embed AI security best practices
- Penetration Testing (Mobile, Web, AI, Product, IoT, Network & Cloud)
- Secure Software Development Consulting (SSDLC)
- Customized CyberSecurity Services