In a major international effort, U.S. and Dutch authorities have dismantled a massive cybercrime operation that used hacked Internet of Things (IoT) and outdated devices to build an illegal proxy network. Known as Operation Moonlander, the takedown led to the seizure of domains 5socks.net and anyproxy.net, which were secretly selling access to these compromised devices to cybercriminals.
The group ran the proxy service for nearly 20 years, offering subscription plans between $9.95 and $110 per month. They made over $46 million (about ₹400 crore) by allowing users to hide their online activity, often for illegal purposes like ad fraud, data theft, brute-force attacks, and DDoS attacks. The FBI has charged four people in connection with the operation.
The service was powered by a malware called TheMoon, first discovered in 2014. It infected routers and other devices that were either unpatched or no longer supported by manufacturers (end-of-life devices). These infected devices, especially in the U.S., Canada, and Ecuador, were turned into bots and connected weekly to a command-and-control system without their owners’ knowledge.
The FBI has issued a public warning, urging people to take action by restarting routers regularly, updating device software, changing default passwords, and replacing outdated devices. The hacked networks mainly used home internet connections, making it hard for authorities to trace cybercrimes.
Although the proxy services claimed to support digital privacy, investigators say they were a cover for large-scale abuse. With IoT devices growing rapidly, law enforcement warns that unless users secure their devices, such botnets will only continue to expand.
