Criminal Proxy Network Exploits IoT Devices, Exposing Systemic Cybersecurity Risks
Criminal Proxy Network Exploits IoT Devices, Exposing Systemic Cybersecurity Risks – A Covert Threat Uncovered
A sophisticated criminal proxy network, dismantled in a joint U.S.-Dutch law enforcement operation in May 2025, has exposed critical vulnerabilities in the Internet of Things (IoT) ecosystem. Known as anyproxy[.]net and 5socks[.]net, this botnet infected thousands of IoT and end-of-life (EoL) devices, enlisting them into a botnet used to provide anonymity for malicious actors, according to U.S. authorities and Lumen Technologies. Codenamed Operation Moonlander, the takedown highlights the risks posed by unpatched devices, creating potential exposure for enterprises and infrastructure relying on unsecured IoT systems.
The proxy service dates back to 2004, according to the U.S. Department of Justice (DoJ), though the current botnet infrastructure using TheMoon malware has been tracked more recently. Lumen Technologies’ Black Lotus Labs, which monitored the network for over a year, reported an average of 1,000 unique bots weekly, with over 50% located in the United States, followed by Canada and Ecuador. “This group maintained a low profile to avoid detection, abusing equipment that has aged out of the vendor support lifecycle and cannot be patched,” Black Lotus Labs stated. The botnet’s infrastructure, based in Turkey, facilitated illicit activities including ad fraud, distributed denial-of-service (DDoS) attacks, brute-force credential stuffing, and data exploitation.
The Mechanics of the Botnet
The botnet’s effectiveness relied on exploiting EoL devices, which lack vendor support and security updates. TheMoon malware, first identified in 2014 by the SANS Technology Institute, targets open ports and vulnerable scripts to infect devices without requiring passwords. Once compromised, devices connected to a command-and-control (C2) infrastructure of five Turkey-based servers. Four servers used HTTP port 80 for victim communication, while a fifth, operating on UDP port 1443, collected data from infected devices.
The proxy service operated on a “rent-a-proxy” model, accepting cryptocurrency payments for rotating daily access to IP addresses and ports, with subscription fees ranging from $9.95 to $110 monthly. This generated over $46 million in revenue for the operators, according to the DoJ. The lack of authentication amplified its impact, enabling even unauthorized actors to exploit proxies once discovered, in addition to those who subscribed. “Proxy services allow malicious actors to hide behind unsuspecting residential IPs, complicating detection by network monitoring tools,” Lumen noted. Only 10% of the proxies were flagged by tools like VirusTotal, underscoring their stealth.
By focusing on known exploits rather than zero-day vulnerabilities, the botnet ensured operational continuity for actors leveraging it for illicit purposes. The operators conducted deny-list checks to evade common monitoring tools, blending their traffic with legitimate residential activity. This enabled the botnet to support malicious activities with devices observed in numerous countries, according to telemetry reviewed by Lumen.
Risks to Enterprise and Infrastructure
The disruption of this botnet underscores the systemic risks posed by unpatched IoT devices, particularly as IoT adoption grows across sectors including manufacturing and logistics, where defenders face challenges in securing aging devices. The botnet’s concentration in the U.S., Canada, and Ecuador reflects the widespread use of outdated routers and small office/home office (SOHO) equipment, often overlooked in enterprise security protocols. Its capability to facilitate DDoS and data exploitation could pose indirect risks to sectors like logistics and manufacturing that depend on secure, uninterrupted connectivity.
The Cybersecurity and Infrastructure Security Agency (CISA), alongside the FBI, EPA, and Department of Energy, has emphasized securing operational technology (OT) and industrial control systems (ICS). “Poor cyber hygiene and exposed assets can escalate threats, leading to significant consequences such as operational disruptions,” the agencies warned. The DoJ’s charges against four individuals—Russian nationals Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin, and Kazakhstani national Dmitriy Rubtsov—signal efforts to curb such threats, but the botnet’s financial success highlights the profitability of exploiting IoT vulnerabilities.
The botnet’s ability to blend with legitimate traffic challenged defenders in sectors dependent on secure IoT deployments, such as enterprise and industrial networks. Compromised devices raise concerns that they could be leveraged to disrupt operations or access sensitive systems, amplifying the need for robust security measures.
Strategies for Mitigation
Operation Moonlander, supported by Lumen’s null-routing of C2 traffic and intelligence from Spur and CERT Orange Polska, disrupted the botnet’s infrastructure. However, the persistence of EoL devices and the projected growth of IoT—expected to reach 29 billion devices by 2030, per Statista—suggests similar threats will endure. Black Lotus Labs noted the difficulty of detecting proxy traffic, which mimics legitimate activity. “As a vast number of end-of-life devices remain in circulation, there will continue to be a massive pool of targets for malicious actors,” the firm cautioned.
Enterprises must prioritize replacing EoL devices to reduce vulnerabilities in sectors like manufacturing and logistics. Lumen recommends monitoring for suspicious login attempts, blocking known proxy IPs, and deploying advanced detection tools. Consumers should reboot routers, apply security updates, change default passwords, and upgrade unsupported devices. The FBI’s advisory reinforces these steps, urging users to secure remote access and replace EoL routers to prevent infection by malware like TheMoon.
Industry-wide action is critical. Manufacturers should extend support lifecycles for IoT devices and implement secure-by-default configurations. Collaboration between law enforcement, private firms, and international partners, as seen in Moonlander, is essential to dismantling cross-border cybercrime networks.
A Persistent Challenge
The takedown of anyproxy[.]net and 5socks[.]net is a significant achievement, but IoT vulnerabilities persist. The botnet’s exploitation of residential IPs highlights a weak link: unsecured devices in homes and businesses can enable attacks on enterprise systems and infrastructure. The FBI’s call to upgrade EoL devices and secure network access underscores the shared responsibility required to address these threats.
For industries like manufacturing and logistics, securing IoT devices is a strategic imperative. The Moonlander operation demonstrates the power of coordinated action, but also serves as a warning: as connectivity expands, so does the attack surface. By prioritizing device security, adopting proactive monitoring, and fostering global collaboration, stakeholders can ensure IoT drives progress rather than enabling crime. The fight against such networks continues, demanding vigilance to contain the risks.
More info here – Have a Story? Address it to the Editor and submit it here
Disclaimer
The information provided in this article is for general informational purposes only and is derived from publicly available sources. While every effort is made to ensure accuracy, we make no representations or warranties, express or implied, regarding the completeness, reliability, or validity of the content. This article does not assert or verify any claims about specific companies, individuals, or organizations. References to external reports, studies, or sources are for contextual purposes only and do not imply endorsement or confirmation of any specific allegations. Readers are advised to conduct their own due diligence and seek professional advice before making business or investment decisions. We disclaim any liability for losses or damages incurred as a result of reliance on the information provided.