Breaking: Criminal Proxy Botnet Utilizing IoT and End-of-Life Devices Dismantled in Collaborative U.S.-Dutch Operation
On May 9, 2025, a significant joint operation by Dutch and U.S. law enforcement successfully dismantled a sophisticated criminal proxy network that exploited thousands of compromised Internet of Things (IoT) and end-of-life (EoL) devices. This extensive botnet provided anonymity for malicious actors and facilitated illicit online activities.
As part of this operation, authorities executed a domain seizure and brought charges against four individuals linked to the botnet. Among those arrested are Russian nationals Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr Aleksandrovich Shishkin, 36, and Dmitriy Rubtsov, a 38-year-old citizen of Kazakhstan. These individuals are accused of operating and maintaining the proxy services for profit, reportedly generating more than $46 million from subscription fees ranging between $9.95 and $110 per month since the service’s establishment in 2004.
The criminal network took advantage of IoT devices and systems that have reached their end of life, which often lack the necessary security updates and protections. Such vulnerabilities made these devices attractive for exploitation, serving as unknowing participants in a botnet that offered anonymized access to cybercriminals. The substantial revenue generated points to a lucrative market for these types of services and raises concerns about the security of unprotected devices in commercial and residential settings.
This operation underscores the potential risks posed by compromised IoT and EoL devices. The competitive pricing of the proxy services indicates a calculated strategy to recruit more subscribers, revealing a disturbing trend in the proliferation of such services over nearly two decades.
From a cybersecurity perspective, various tactics from the MITRE ATT&CK framework could have been leveraged in this operation. Initial access might have been achieved through techniques like phishing or exploiting known vulnerabilities in devices that were no longer supported. Persistence could have been ensured by embedding malicious code into the firmware of the devices, making detection and remediation difficult for users. Additionally, privilege escalation techniques may have been employed to gain higher-level access to not only individual devices but also the broader network of compromised systems.
As this case unfolds, business owners must remain vigilant concerning the security of their IoT devices. The rise of botnets exploiting outdated and unsecured systems highlights the urgent need for robust security measures and regular updates. It is imperative for organizations to understand the risks associated with IoT and EoL devices, proactively addressing potential vulnerabilities to mitigate the threat posed by similar malicious activities in the future.
This incident serves as a reminder of the evolving landscape of cyber threats and the critical need for continuous investment in cybersecurity measures to protect against such pervasive risks.
