FBI Took 20 Years to Kill a Router Botnet

The 5socks.net website had a slogan plastered right on its homepage: "Working since 2004!" And from what I can tell, that was accurate. For over twenty years, a criminal proxy service operated openly on the clearnet, sold subscriptions to anyone willing to pay between $9.95 and $110 per month, accepted cryptocurrency, and advertised on cybercriminal forums. The FBI finally got around to shutting it down in May 2025, which I'm going to call what it is: embarrassing.

On May 7, 2025, the FBI seized the domains of two proxy services called Anyproxy and 5Socks, replacing them with the standard seizure banner we've all seen a hundred times. Two days later, on May 9, the DOJ unsealed indictments against three Russian nationals and one Kazakhstani national as part of "Operation Moonlander." The FBI, Dutch National Police, Thai Royal Police, and researchers from Lumen Technologies' Black Lotus Labs coordinated the takedown.

The four defendants are Alexey Viktorovich Chertkov (37), Kirill Vladimirovich Morozov (41), Aleksandr Aleksandrovich Shishkin (36), and Dmitriy Rubtsov (38). All four were charged with conspiracy and damage to protected computers. Chertkov and Rubtsov also face charges for falsely registering domain names using fake identities. Collectively, the DOJ says they earned over $46 million from their two-decade operation.

Now here's where I need everyone to understand what actually happened, because the FBI's press release frames this like a triumphant victory when the reality paints a very different picture.

The entire operation was built on end-of-life routers. These are consumer and small business devices from companies like Linksys and Cisco, specifically models like the Linksys E1200, E2500, E1000, E4200, E1500, E300, E3200, E1550, WRT320N, WRT310N, WRT610N, and the Cisco M10. Every single one of those models is old enough that the manufacturer stopped releasing security patches years ago. When a router reaches "end of life," the company that made it walks away, and whatever vulnerabilities exist in the firmware stay there permanently.

The malware used to compromise these devices is called TheMoon, first discovered by SANS ISC back in 2014. The way TheMoon works is straightforward and that's what makes it effective: it scans for open ports on vulnerable routers, sends a command to a vulnerable script, and takes over the device without ever needing a password. Once it has control, it contacts command-and-control servers for further instructions, and those instructions often include scanning for more vulnerable routers to spread the infection. The C2 infrastructure for this particular operation ran through five servers located in Turkey, four communicating with victims on port 80 and one using UDP port 1443 for data storage.

After a router was compromised, it became a proxy node. The operators packaged these compromised residential IP addresses and sold access through Anyproxy.net and 5socks.net. Customers paid between $9.95 and $110 per month for access to compromised residential IPs. The service accepted cryptocurrency payments, which made it a natural magnet for anyone doing something criminal who needed to hide behind a legitimate-looking residential IP address.

From what Black Lotus Labs found, the proxies were used for ad fraud, DDoS attacks, brute-force credential attacks, and data exploitation. The FBI's own advisory adds cryptocurrency theft and cybercrime-for-hire activities to that list. And the actual owners of these routers, the people whose home and business internet connections were being sold to criminals, had absolutely no idea. Their routers just kept working well enough that nobody noticed anything beyond maybe some occasional slowness or the device running warm.

Ok so let me point out the absurdity of the timeline here. TheMoon malware was publicly documented in 2014. The 5Socks website had been running since 2004. A Polish cybersecurity team, CERT Orange Polska, published a report identifying this exact operation in 2023. After that report, Lumen's Black Lotus Labs spent approximately one year tracking the infrastructure before the takedown happened in May 2025. The actual FBI investigation originated from the Oklahoma City field office after they found infected routers in Oklahoma businesses and residences.

So a criminal service operated on the open internet for 20 years, bragged about it in their slogan, advertised on cybercriminal forums, and it took a Polish CERT team flagging it in 2023 for law enforcement to start paying attention. The FBI had the resources of the entire US intelligence apparatus and somehow a team in Poland found it first. Keep in mind the 5Socks site was advertising over 7,000 proxies on its public-facing homepage the entire time.

And the indictments themselves tell the rest of the story. All four defendants are either in Russia or Kazakhstan, and neither country has an extradition treaty with the United States. None of the four have been arrested, and their whereabouts are listed as unknown. The domains were managed through a company headquartered in Virginia and hosted on servers registered with JCS Fedora Communications, a Russian internet hosting provider, with additional servers in the Netherlands, Turkey, and other locations.

The practical result of Operation Moonlander is that the FBI seized two domain names and filed charges against four people who will almost certainly never see the inside of a US courtroom. The $46 million is gone and the defendants are free. And the actual damage, the twenty years of compromised home networks, stolen data, and criminal activity routed through innocent people's internet connections, is done and irreversible.

From a technical standpoint, Lumen's Black Lotus Labs deserves the actual credit here. They null-routed all traffic to and from the known C2 endpoints across their global backbone, which is what actually killed the botnet's ability to function. The FBI's contribution was paperwork, seizure banners, and a press conference. Black Lotus Labs' research also revealed that while 5Socks claimed to have 7,000+ active proxies, the real number was closer to 1,000 weekly active bots across 80+ countries, with over half of the victims located in the United States. Canada and Ecuador had the next highest infection rates.

One detail from the Black Lotus Labs report stands out: only about 10% of the compromised devices were flagged as malicious on VirusTotal. Ninety percent of these infected routers went completely undetected by mainstream security monitoring tools. The operators also performed IP deny-list checking before selling a proxy, which means they actively verified their bots would evade monitoring before handing them to customers. The average bot stayed compromised for over a week before rotating out.

The FBI's response to all of this was to issue a flash advisory telling people to check if their router model was on the affected list and to replace it with a newer one. Their practical advice comes down to: replace your end-of-life router, disable remote administration, reboot periodically, and use strong passwords.

I'm going to be straightforward about this. The FBI is telling you to replace your router after they let criminals monetize it for 20 years. They're issuing advisories about TheMoon malware that was publicly documented 11 years ago. They filed indictments against people they know they can never extradite. And they're calling it Operation Moonlander like they deserve a cool name for finally doing what a Polish CERT team essentially handed them on a platter.

The actual lesson from this story has nothing to do with the FBI's press release. If you're running a router that was manufactured before 2010, the manufacturer abandoned it years ago and every vulnerability in its firmware is a permanent open door. TheMoon malware targets these devices specifically because they're easy prey, and the operators behind 5Socks proved that thousands of people across 80+ countries had no idea their home networks were compromised. Your router is the single point of entry for everything on your network, every device, every connection, every piece of data, and if it's running decade-old firmware with known unpatched vulnerabilities, you should assume it's already been compromised.

My advice is simple. Check your router model against the FBI's list of affected devices. If it's on there, replace it immediately. If your router is more than five or six years old and the manufacturer has stopped issuing firmware updates, replace it anyway. Disable remote administration on whatever router you do use, because that's the attack vector TheMoon exploits. And reboot your router periodically, because most router malware loses persistence after a reboot since it lives in volatile memory.

The 5Socks operation earned $46 million over 20 years while the FBI did nothing. The four people responsible will never be extradited. Your old router may have been part of their infrastructure, and you would have never known. That's the reality the FBI's press release conveniently glosses over while they pat themselves on the back for seizing two domain names.