US and Netherlands Dismantle Russian-Led Cybercriminal Proxy Networks
Netherlands, Saturday, 10 May 2025.
In a significant cybersecurity operation, the US and Dutch authorities have shut down 5socks and Anyproxy, services linked to Russian cybercriminals, curbing a $46 million scheme.
Operation Details and Perpetrators
On May 9, 2025, U.S. prosecutors unveiled charges against four individuals in a landmark cybersecurity operation codenamed ‘Moonlander’ [1]. Three Russian nationals - Alexey Chertkov, Kirill Morozov, and Aleksandr Shishkin - along with Kazakhstani national Dmitriy Rubtsov, were charged with conspiracy and damage to protected computers [2]. The operation resulted in the seizure of domains Anyproxy.net and 5socks.net, which had been operating since 2004, offering over 7,000 proxy services with cryptocurrency payment options [1][3].
Technical Infrastructure and Impact
The criminal enterprise operated by exploiting end-of-life routers, with Lumen Technologies’ Black Lotus Labs tracking approximately 1,000 distinct bots per week connecting to a command-and-control server in Turkey [4]. The compromised network primarily affected users in the United States, with additional concentrations in Canada and Ecuador [2]. The FBI has identified thirteen specific vulnerable router models, including various E-series models and WRT variants, that were targeted by these operations [5].
International Collaboration
The successful dismantling of these networks demonstrates the power of international cooperation in cybersecurity enforcement. U.S. officials worked closely with law enforcement agencies in Thailand and the Netherlands, while receiving crucial technical support from Lumen Technologies’ Black Lotus Labs [2]. The investigation originated from the FBI’s Oklahoma City office after the discovery of infected routers in local businesses and homes [2].
Preventive Measures and Recommendations
The FBI has issued an alert on May 7, 2025, strongly recommending users either replace vulnerable devices with newer models or take immediate preventive measures by disabling remote administration and rebooting their devices [5]. This case highlights the critical importance of maintaining up-to-date network infrastructure, as end-of-life routers have become a significant vector for cybercriminal activities targeting critical infrastructure [2][5].