Four Hackers Caught Exploiting Old Routers as Proxy Servers

U.S. authorities unsealed charges against four foreign nationals accused of operating a global cybercrime scheme that hijacked outdated wireless routers to create malicious proxy networks.

Russian nationals Alexey Viktorovich Chertkov (37), Kirill Vladimirovich Morozov (41), Aleksandr Aleksandrovich Shishkin (36), and Kazakhstani Dmitriy Rubtsov (38) face conspiracy and computer crime charges for allegedly profiting from botnets linked to domains Anyproxy.net and 5socks.net.

The group reportedly generated over $46 million by selling access to infected devices, which were seized in a coordinated international operation involving the FBI and law enforcement agencies in the Netherlands and Thailand.

The U.S. Department of Justice unveiled a 13-count indictment accusing the four defendants of conspiring to infect older-model routers with malware, transforming them into proxies for illegal internet traffic.

The hackers targeted residential and business routers, including devices in Oklahoma, by exploiting security vulnerabilities to install malicious firmware.

This allowed them to covertly reconfigure routers and resell access through subscription-based platforms operating for nearly two decades.

Prosecutors emphasized the scale of the operation: the 5socks.net domain alone advertised over 7,000 compromised proxies worldwide, with subscriptions priced between $9.95 and $110 monthly.

The indictment alleges Chertkov and Rubtsov falsified domain registration details to conceal their identities, while Morozov and Shishkin managed backend infrastructure.

The group’s slogan, “Working since 2004!”, underscored the longevity of their scheme, which evaded detection by leveraging outdated but still functional routers often overlooked by users.

Anyproxy and 5socks Botnet Operations

The botnets functioned by converting infected routers into intermediaries for anonymizing illicit cyber activities, including fraud, data theft, and credential stuffing.

Once compromised, routers were added to a pool of “residential proxies” marketed to cybercriminals seeking to mask their locations.

Subscribers could route traffic through these devices, making malicious actions appear legitimate by mimicking ordinary household internet use.

Forensic analysis revealed that the malware granted third-party control over routers, enabling traffic manipulation without owners’ knowledge.

The hackers’ revenue model relied on volume: court documents estimate that the Anyproxy network alone comprised tens of thousands of devices, generating recurring income through automated billing systems.

Investigators traced financial flows to offshore accounts, with the $46 million figure reflecting only a portion of the proceeds due to cryptocurrency transactions.

Global Law Enforcement Collaboration

The FBI’s Oklahoma City Cyber Task Force spearheaded the investigation, partnering with Dutch and Thai authorities to dismantle the botnet’s infrastructure.

In May 2025, the U.S. seized the Anyproxy.net and 5socks.net domains via a warrant in the Eastern District of Virginia, while European agencies disabled overseas servers.

Black Lotus Labs, a threat intelligence division of Lumen Technologies, provided critical technical assistance by analyzing network traffic and identifying command-and-control nodes.

U.S. Attorney Clint Johnson highlighted the operation’s significance, stating, “This takedown disrupts a major enabler of cybercrime that weaponized everyday devices.”

The case underscores escalating efforts to combat “proxyware” services, which have become instrumental in ransomware attacks and phishing campaigns.

However, experts warn that similar networks persist, often exploiting IoT devices with weak security protocols.

All defendants remain at large abroad, and extradition proceedings are pending. If convicted, they face up to 20 years in federal prison for conspiracy and computer fraud charges.

The Justice Department reaffirmed that an indictment is not evidence of guilt, and the accused are presumed innocent until proven otherwise.

The case marks a milestone in cross-border cybercrime enforcement, illustrating the technical and legal complexities of prosecuting actors who exploit global infrastructure gaps.

As router manufacturers phase out support for older models, authorities urge users to update firmware or replace obsolete devices to mitigate exploitation risks.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!