In a coordinated international law enforcement operation dubbed ‘Operation Moonlander,’ authorities have dismantled two long-running online services linked to a massive botnet of hacked internet-connected devices.
The seized services, Anyproxy and 5Socks, purported to provide legitimate residential proxy networks, tools commonly used to bypass geographic content restrictions or censorship. But prosecutors say these platforms were instead built on a network of thousands of compromised routers and other devices, secretly turned into nodes in a botnet used by cybercriminals.
The FBI, working in collaboration with the Dutch National Police (Politie), replaced the websites for Anyproxy and 5Socks were replaced with a seizure notice.
The US Department of Justice has indicted three Russian nationals, Alexey Viktorovich Chertkov, Kirill Vladimirovich Morozov, and Aleksandr Aleksandrovich Shishkin, along with Dmitriy Rubtsov of Kazakhstan. The four are accused of exploiting known vulnerabilities in older wireless routers to hijack devices globally, turning them into proxy endpoints for paying customers.
According to the indictment, the group advertised the botnet on cybercriminal forums and social media. The services, reportedly operational since at least 2004, generated substantial profits for the accused estimated at more than $46 million, according to the DOJ.
None of the accused are currently in US custody, and all reside outside of the United States.
In a separate action, the Frankfurt am Main Public Prosecutor’s Office (ZIT) and the Federal Criminal Police Office (BKA) shut down the German server infrastructure of the crypto swapping service eXch, accessible via eXch.cx and other domains. The authorities seized over 8 terabytes of data and cryptocurrencies valued at approximately €34 million (Bitcoin, Ether, Litecoin, and Dash), marking the third-largest crypto asset seizure in BKA’s history.
Founded in 2014, eXch allowed users to anonymously exchange cryptocurrencies and was advertised on criminal darknet platforms as having no anti-money laundering measures. An estimated $1.9 billion in crypto assets were transferred through the platform since its inception. Authorities suspect the platform was used to launder illicit funds, including a portion of the $1.5 billion stolen in the February 2025 Bybit hack.
