20-Year-Old Proxy Botnet Network Dismantled After Exploiting 1,000 Unpatched Devices Each Week

A 20-year-old criminal proxy network has been disrupted through a joint operation involving Lumen’s Black Lotus Labs, the U.S.

Department of Justice, the Federal Bureau of Investigation (FBI), and the Dutch National Police.

This botnet, operational since 2004 according to its own claims, exploited an average of 1,000 unique Internet of Things (IoT) and end-of-life (EoL) devices weekly, turning them into proxies for malicious actors seeking anonymity online.

By leveraging unpatched and unsupported devices, primarily in the residential IP space, the botnet enabled a range of illicit activities, including ad fraud, Distributed Denial of Service (DDoS) attacks, brute force attacks, and data exploitation.

Over half of the infected devices were located in the United States, with notable victim counts in Canada and Ecuador, highlighting the global reach of this threat.

Collaboration Targets Criminal Proxy Service

Lumen’s Black Lotus Labs, utilizing telemetry from its global backbone, traced the botnet’s command-and-control (C2) infrastructure to five servers based in Turkey (Türkiye).

Four of these servers communicated with victims over HTTP on port 80, while a fifth used UDP on port 1443 solely to receive data, likely for storing victim information.

The botnet predominantly targeted Small Office/Home Office (SOHO) and IoT devices, exploiting well-known, older vulnerabilities rather than zero-day flaws, which allowed the operators to maintain bots active for over a week on average.

Remarkably, only 10% of these proxies were flagged as malicious by tools like VirusTotal, demonstrating their ability to evade conventional network monitoring systems.

The service’s “rent-a-proxy” model compounded the risk, providing users direct access to proxy IPs and ports without authentication for 24-hour periods, a tactic reminiscent of other notorious networks like NSOCKS and Faceless.

This open-access policy, while unclear in its profitability for operators, opened the door to widespread abuse by any malicious actor discovering the active proxies.

Sophistication and Evasion Tactics Uncovered

According to the Report, The botnet’s website boasted a daily pool of over 7,000 proxies, though Lumen’s data suggests a lower active count.

Nevertheless, the strategic selection of residential IPs for their proxies allowed attackers to blend malicious traffic with legitimate activity, complicating detection and mitigation efforts.

As part of the takedown, Lumen disrupted the network by null-routing all traffic to and from known C2 points across its global backbone, effectively severing the botnet’s operational core.

The operation also acknowledges contributions from Spur, whose insights enriched the research.

This takedown underscores the persistent danger posed by proxy botnets, especially as the proliferation of IoT devices and unpatched EoL systems creates a vast attack surface for cybercriminals.

Black Lotus Labs continues to monitor similar threats and collaborate with law enforcement to curb these networks, emphasizing the critical need for robust device lifecycle management and enhanced security practices to protect the internet ecosystem from such predatory schemes.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download