FBI, Amsterdam police dismantle global cybercrime ring using hacked routers

A joint operation between Dutch police and the FBI has dismantled the global criminal proxy service Anyproxy, which enabled cybercriminals to conceal their identities while carrying out phishing attacks, deploying ransomware, and stealing data, according to police.

The operation, part of a coordinated investigation named Operation Moonlander, targeted a vast network of compromised routers, many located in homes and small businesses worldwide. These routers, infected with malware known as TheMoon, were used to create a botnet controlled remotely by criminals, allowing them to operate untraceably.

The U.S. Department of Justice unsealed indictments against four men accused of operating Anyproxy and a related service called 5socks. Prosecutors allege the defendants earned more than 46 million dollars by selling access to the infected routers through websites like Anyproxy.net and 5socks.net. Customers paid monthly fees ranging from 9.95 to 110 dollars. The domains were registered using stolen identities and hosted by a company in Virginia.

The men—Russian nationals Alexey Chertkov, 37; Kirill Morozov, 41; and Aleksandr Shishkin, 36, along with Kazakhstani national Dmitriy Rubtsov, 38—are charged with conspiracy to commit computer crimes and intentionally damaging protected systems. Chertkov and Rubtsov also face additional charges for using false information to register internet domains.

The investigation began after a Dutch resident’s IP address was linked to digital fraud, which led authorities to uncover a large-scale infrastructure hijacking outdated internet routers—devices no longer supported by manufacturers with software or security updates.

“These devices, often located in homes and small businesses, were infected without the owners' knowledge,” Dutch police said in a statement. “The infected routers were then sold as anonymous internet access points, enabling criminals to operate without detection.”

Dutch authorities say more than 6,000 IP addresses were exploited through the Anyproxy network, with many victims in the United States. The malware has been active since 2014 and targets routers with remote administration enabled, making them vulnerable to attack.

While proxy services themselves are legal, authorities warned they are often misused for illegal activities, such as fraud and cyberattacks. Infected routers often displayed signs such as overheating, unexplained changes in settings, and loss of internet connection.

The FBI Cyber Task Force in Oklahoma assisted in identifying infected routers across the U.S. Investigators obtained a court-authorized seizure warrant from the Eastern District of Virginia to take control of the domains, while law enforcement partners worldwide dismantled additional servers tied to the botnet.

The operation also received support from the Royal Thai Police and cybersecurity company Lumen Technologies. Lumen’s Black Lotus Labs identified the malware infrastructure and helped confirm the botnet’s scale.

Dutch police emphasized the Netherlands' vulnerability to such cybercrime due to its role as a global internet hub. Amsterdam, home to more than 60 data centers, reportedly offers an open hosting market with limited regulation. Local authorities have called for stricter rules, including mandatory identity verification for digital service providers and a ban on anonymous cryptocurrency payments.