Operation Moonlander: Inside the FBI's Takedown of a 20-Year, $46 Million Proxy Empire Built on Your Hacked Router

Breached Company

15 Feb 2026 — 11 min read

For two decades, a network of compromised routers spanning 80+ countries silently funneled internet traffic for cybercriminals, fraudsters, and hackers. The devices belonged to unsuspecting homeowners and small businesses—people who had no idea their aging Linksys router had become a node in one of the longest-running criminal proxy operations ever documented.

In May 2025, the FBI and international partners finally pulled the plug on 5Socks.net and Anyproxy.net, twin services that had been operating since 2004. Four foreign nationals—three Russians and one Kazakhstani—were indicted for running the operation. None have been arrested. The estimated haul: $46 million in subscription fees from cybercriminals who paid for anonymous access to over 7,000 residential IP addresses.

This is the story of Operation Moonlander: how the operation worked, why it evaded detection for so long, and why your old router might still be part of a botnet right now.

The 20-Year Empire: "Working Since 2004"

In an almost comically brazen display, 5Socks.net marketed itself with a slogan: "Working since 2004." The operators weren't lying. For over two decades, the service quietly sold access to a rotating inventory of compromised residential routers, offering cybercriminals something invaluable: anonymity that actually worked.

The business model was elegant in its simplicity. Customers paid between $9.95 and $110 per month for access to proxy servers—IP addresses that would route their traffic through legitimate-looking residential connections. Payment was cryptocurrency only, and no authentication was required beyond the subscription fee. This meant anyone—credential stuffers, DDoS operators, ad fraudsters, or worse—could purchase access with minimal friction.

The critical innovation wasn't technical sophistication; it was target selection. Rather than attempting to compromise well-maintained corporate networks or cloud infrastructure, the operators behind 5Socks and Anyproxy focused exclusively on end-of-life (EOL) routers—devices that manufacturers had stopped supporting with security updates.

These devices represented the perfect target profile: perpetually vulnerable, rarely monitored, and scattered across millions of homes and small offices worldwide.

TheMoon Rises: The Malware Behind the Botnet

The technical engine powering this criminal enterprise was a malware family known as TheMoon, a name derived from references to the 1999 film Space: 1999 found in early samples. First documented by researchers around 2014, TheMoon had evolved into a purpose-built tool for recruiting routers into proxy botnets.

The infection chain required no zero-day vulnerabilities. Instead, TheMoon variants exploited publicly known CVEs in routers that would never receive patches. The operators scanned the internet for devices with remote administration enabled, then deployed exploits that had been public knowledge for years—sometimes a decade or more.

Once installed, TheMoon performed a two-way handshake with command-and-control infrastructure located in Turkey. Five C2 servers managed the entire botnet:

Four servers communicated with victims on port 80, appearing as normal HTTP traffic
One server used UDP port 1443 for storing victim data and configuration

Infected routers checked in with the C2 infrastructure every 60 seconds to 5 minutes, maintaining a persistent connection that allowed operators to push commands, update configurations, and verify the device remained compromised. The malware then opened ports to make each router available as a proxy server, adding it to the 5Socks/Anyproxy inventory for sale.

What made TheMoon particularly insidious was its spread mechanism. Once established on a router, the malware scanned the local network for additional vulnerable devices—turning a single compromise into a potential foothold across an entire network segment.

The Victims: 7,000 Proxies Across 80 Countries

At any given time, approximately 1,000 unique infected devices were actively communicating with the C2 infrastructure, according to telemetry from Lumen Technologies' Black Lotus Labs, which tracked the operation for over a year before the takedown. The operators advertised 7,000+ proxies for sale—a number likely inflated for marketing purposes, but still representing a substantial criminal resource.

The geographic distribution told a damning story about where aging networking equipment lingers longest:

United States — Over 50% of all victims
Canada — Second highest infection rate
Ecuador — Third highest
Latin America broadly — Significant presence across the region

The concentration in North America reflects the region's massive installed base of consumer networking equipment, much of it purchased during the router boom of the mid-2000s and never replaced. Many of these devices remain functional despite being a decade or more old—silently operating as zombie nodes in a criminal network.

Which Routers Were Targeted?

The FBI's FLASH alert, released two days before the takedown, specifically called out the following Linksys models as targets:

E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550
WRT320N, WRT310N, WRT610N

Additionally, the Cisco M10 was identified as vulnerable.

If you recognize any of these model numbers from the equipment closet in your home or small office, you have a problem.

The Business: $46 Million in Subscription Fees

Over 20 years, the 5Socks/Anyproxy operation generated an estimated $46 million in revenue—an average of $2.3 million per year. For a criminal operation requiring minimal operational overhead and virtually no customer support, the economics were remarkable.

The services were marketed primarily on cybercriminal forums, attracting customers who needed residential IP addresses for various illegal purposes:

Documented abuse types included:

Ad fraud — Generating fake advertising clicks that appeared to come from real users
DDoS attacks — Distributed denial-of-service using residential IPs that were harder to block
Brute force attacks — Password spraying and credential stuffing campaigns
Financial fraud — A growing use case according to analysis from threat intelligence firm Spur
Data exploitation — Stealing and exfiltrating sensitive information
Attack obfuscation — The primary use case: hiding an attacker's true location

The Department of Justice indictment explained why residential proxies are so valuable to criminals:

"Residential proxy services are particularly useful to criminal hackers to provide anonymity when committing cybercrimes; residential—as opposed to commercial—IP addresses are generally assumed by internet security services as much more likely to be legitimate traffic."

In other words: traffic from a compromised home router in Oklahoma looks fundamentally different to security systems than traffic from a known VPN exit node or a cloud server. Defenders have spent years building detection capabilities around commercial IP ranges; residential traffic largely flies under the radar.

This detection gap was evident in the operation's success at evading blocklists. According to Black Lotus Labs analysis, only about 10% of the proxy IPs were flagged as malicious on VirusTotal at any given time. The average infected device remained active for over one week before detection—plenty of time for criminals to execute their attacks and move on.

The Operators: Russians and a Kazakhstani

The DOJ indictment named four individuals as the operators behind the 20-year criminal enterprise:

Name	Nationality	Age	Status
Alexey Viktorovich Chertkov	Russian	37	At large
Kirill Vladimirovich Morozov	Russian	41	At large
Aleksandr Aleksandrovich Shishkin	Russian	36	At large
Dmitriy Rubtsov	Kazakhstani	38	At large

All four were charged with conspiracy and damage to protected computers. Chertkov and Rubtsov faced additional charges for false registration of domain names—they allegedly used fake identities when registering the 5Socks and Anyproxy domains.

Here's the uncomfortable reality: none of them have been arrested, and none are likely to be anytime soon. Russia and Kazakhstan have no extradition treaties with the United States. The operators reside beyond the reach of American law enforcement, free to potentially rebuild their operation or launch new criminal ventures.

The infrastructure told a story of international cooperation—at least among criminals. Backend servers were hosted by JCS Fedora Communications, a Russian hosting provider, with additional servers located in the Netherlands and Turkey. The websites themselves were managed by a Virginia-based company, though hosted on servers worldwide. This distributed architecture made attribution difficult and required coordination across multiple jurisdictions for the takedown.

Operation Moonlander: The Takedown

The investigation that eventually dismantled the proxy empire began when FBI agents in Oklahoma discovered TheMoon malware on residential and business routers in the state. What started as a local cybercrime investigation quickly expanded into an international operation.

Operation Moonlander brought together an unusual coalition:

FBI Oklahoma City Cyber Task Force (lead investigation)
U.S. Attorney's Office, Northern District of Oklahoma
U.S. Attorney's Office, Eastern District of Virginia (domain seizure warrant)
Dutch National Police (Politie)
Netherlands Public Prosecution Service
Royal Thai Police
Lumen Technologies' Black Lotus Labs (technical intelligence)

Black Lotus Labs had been tracking the botnet for over 12 months before the takedown, gathering technical intelligence on the C2 infrastructure, documenting infection patterns, and preparing for disruption. The groundwork for understanding the operation had actually been laid earlier—CERT Orange Polska first publicly documented the 5Socks/Anyproxy infrastructure in 2023.

The timeline of the final operation moved quickly:

May 7, 2025: FBI's Internet Crime Complaint Center (IC3) released a FLASH alert warning about TheMoon's targeting of EOL routers
May 9, 2025: Domain seizures executed on Anyproxy.net and 5Socks.net
May 9, 2025: DOJ announced indictments against the four operators

The technical disruption went beyond simple domain seizures. Lumen Technologies null-routed all traffic to and from known C2 servers across their global backbone network, effectively cutting off the botnet's command infrastructure. Dutch and Thai authorities targeted overseas components of the operation, seizing servers and disrupting infrastructure beyond U.S. jurisdiction.

When users attempted to access 5Socks.net or Anyproxy.net after May 9, they were greeted with federal seizure banners—the unmistakable sign that their anonymous proxy service had been compromised by law enforcement.

Is Your Router Part of a Botnet? How to Check

The uncomfortable truth is that if you own an end-of-life router, it may already be compromised without your knowledge. Here's how to assess your risk and what to do about it.

Signs of Compromise

Your router may be infected if you observe:

Unexplained network slowdowns — Your bandwidth is being consumed by proxy traffic
Unknown outbound connections — Particularly on port 80 or UDP port 1443
Configuration changes you didn't make — Remote administration suddenly enabled, firewall rules modified
Connections to Turkish IP ranges — Associated with the TheMoon C2 infrastructure
Strange processes or services — If your router provides diagnostic access

Immediate Actions

The FBI recommends the following steps if you suspect compromise or own an EOL device:

Check if your router is end-of-life — Visit the manufacturer's website and search for your model's support status. If it's no longer receiving security updates, it needs to be replaced.
Disable remote administration immediately — This is the primary attack vector. If you can access your router's admin interface, find the setting for "remote management" or "remote administration" and disable it.
Reboot your router — Many malware variants, including some TheMoon configurations, don't persist across reboots. A simple power cycle may clear an active infection.
Install firmware updates — If your router is still supported, check for and install any available firmware updates.
Change default passwords — Replace any default administrative credentials with strong, unique passwords.
Replace EOL devices — This is the only permanent solution. A router that will never receive security patches is a permanent liability.

For Network Defenders and Security Teams

Organizations should implement additional monitoring:

Monitor for attacks originating from residential IP addresses — These may indicate compromised devices being used as proxies
Block known open proxy IP addresses — Update blocklists regularly
Watch for brute force attempts from residential IPs — A hallmark of credential stuffing through residential proxies
Inventory all edge devices — Know what routers, IoT devices, and networking equipment exist on your network and their support status

Technical Indicators of Compromise

Black Lotus Labs has published a comprehensive list of IOCs on GitHub:

Repository: github.com/blacklotuslabs/IOCs/blob/main/socks_IOCs.txt

This includes C2 server IP addresses and related infrastructure details that can be used for detection and blocking.

The Bigger Picture: EOL Devices as a National Security Threat

The 5Socks/Anyproxy takedown isn't an isolated incident. It's part of a pattern that should alarm anyone concerned about infrastructure security.

The FBI's FLASH alert explicitly connected the EOL router threat to nation-state actors, noting:

"Chinese cyber actors are also among those who have taken advantage of known vulnerabilities in end of life routers and other edge devices to establish botnets used to conceal hacking into US critical infrastructures."

This reference points to operations like Volt Typhoon, a Chinese state-sponsored group that has used compromised SOHO routers to stage attacks against U.S. critical infrastructure. The same class of devices that powered a $46 million criminal proxy service also serves as infrastructure for nation-state espionage operations.

Recent residential proxy takedowns show the scale of the problem:

Operation	Year	Service	Scale	Financial Impact
Operation Moonlander	2025	5Socks/Anyproxy	7,000+ proxies	$46M revenue
911 S5 Takedown	2024	911 S5/Cloud Router	19M+ IPs	$5.9B fraud enabled
RSOCKS Takedown	2022	RSOCKS	Millions of devices	Unknown

The common thread across all these operations: they all exploited devices that manufacturers abandoned and consumers forgot about.

Black Lotus Labs summarized the ongoing risk:

"As a vast number of end-of-life devices remain in circulation, and the world continues to adopt devices in the Internet of Things, there will continue to be a massive pool of targets for malicious actors."

What Needs to Change

The 5Socks/Anyproxy takedown is a law enforcement victory, but the underlying vulnerabilities that made the operation possible remain largely unaddressed.

For Consumers

The message is clear: EOL devices are liabilities. If your router, camera, or IoT device is no longer receiving security updates, it's not a functional device—it's an attack surface. Replace it.

Additionally:

Disable remote management features unless absolutely necessary
Perform regular reboots to disrupt non-persistent malware
Change default credentials on all network devices
Monitor network traffic for unusual patterns

For Organizations

Enterprise security teams must:

Inventory all edge devices — Including routers, cameras, and IoT equipment often overlooked in asset management
Track device lifecycles — Know when vendor support ends for every device on the network
Budget for replacements — Devices should be replaced before they become EOL, not after
Segment IoT networks — Keep vulnerable devices isolated from critical infrastructure

For Manufacturers

The device lifecycle security model is broken. Manufacturers should:

Extend security support timelines — Devices often remain functional for a decade; security support should reflect this
Make EOL status visible — Users should be clearly notified when their device stops receiving updates
Auto-disable risky features — Remote administration could be disabled by default on EOL devices
Consider mandatory retirement — Some devices may need to stop functioning when they become too dangerous to operate

The Operators Remain Free

As of this writing, Alexey Chertkov, Kirill Morozov, Aleksandr Shishkin, and Dmitriy Rubtsov remain at large. They face charges that could result in significant prison sentences if they're ever apprehended:

Conspiracy to commit computer fraud — Up to 5 years
Damaging protected computers — Up to 10 years per count
False registration of domain names — Additional penalties for Chertkov and Rubtsov

But without extradition treaties, and with all four residing in countries beyond U.S. law enforcement reach, the chances of prosecution remain slim. The operation that ran for 20 years has been dismantled, but its architects appear poised to escape justice.

The infrastructure is down. The domains display federal seizure banners. The C2 servers have been null-routed. But somewhere, four individuals who allegedly ran a criminal enterprise that compromised thousands of devices across 80 countries are still free—and possibly planning their next venture.

For those checking their router closet today, that reality should provide little comfort.

Key Takeaways

Operation Moonlander dismantled a 20-year proxy service built on compromised EOL routers
TheMoon malware infected devices by exploiting known vulnerabilities in unsupported equipment
7,000+ proxies were sold across 80+ countries, generating an estimated $46 million
Four operators (three Russian, one Kazakhstani) were indicted but remain at large
Residential proxies are valuable to criminals because they evade traditional security detection
EOL devices are a national security threat exploited by both criminals and nation-state actors
Check your router: If it's end-of-life, replace it

IOCs and technical details available at: github.com/blacklotuslabs/IOCs/blob/main/socks_IOCs.txt