Operation Moonlander: FBI and Dutch Police Dismantle Anyproxy Cybercrime Network

In a significant international effort, law enforcement agencies have dealt a substantial blow to online criminal activity. The Amsterdam Police, working closely with the U.S. Federal Bureau of Investigation (FBI), have successfully dismantled the Anyproxy criminal proxy service. Operating since 2004, this service provided cybercriminals with the crucial anonymity needed to carry out a wide range of illegal acts, including phishing, ransomware attacks, and data theft.

Anyproxy facilitated widespread harm, enabling individuals to disrupt networks globally, steal substantial amounts of money, and compromise sensitive information – all while effectively masking their true identities. The sheer longevity of the service and the estimated millions of euros in damages it facilitated underscore the critical importance of this action in disrupting and preventing large-scale cyberattacks.

Understanding Proxy Services and Their Criminal Abuse

What is a Proxy Service?

At its core, a proxy service acts as an intermediary for your internet connection. When you use one, your online traffic routes through the proxy server first, effectively masking your real IP address. To websites and online services, it appears as though your traffic is originating from the proxy server’s location or another device entirely.

How Criminals Exploited Anyproxy

Cybercriminals heavily relied on services like Anyproxy to achieve anonymity. They often exploited vulnerable devices, particularly older routers in people’s homes that were no longer receiving security updates (often termed “end-of-life” equipment). These compromised devices would then be added to the proxy network and offered for rent on underground marketplaces. Payments were typically demanded in cryptocurrency, adding another layer of anonymity and making it exceedingly difficult for law enforcement to track down the individuals behind the attacks.

It’s important to note that while proxy services have legitimate uses, such as enhancing online privacy or accessing geographically restricted content, their ability to obscure identity makes them a prime tool for criminals seeking to evade detection.

The Investigation: Tracing the Anonymity

The path to dismantling Anyproxy began when the Amsterdam Police detected instances of digital fraud being carried out using the IP address of an innocent Dutch citizen. This initial lead quickly expanded, revealing how cybercriminals were leveraging the Anyproxy network by compromising outdated routers connected to legitimate internet services. This tactic allowed them to operate with a high degree of anonymity, making traditional tracking methods challenging.

Police investigations ultimately linked Anyproxy to over 6,000 compromised IP addresses globally, with a significant portion located within the United States. Recognizing the truly international scope of the threat, the Amsterdam Police initiated a crucial collaborative effort with the FBI. This joint investigation was codenamed “Operation Moonlander“.

The Takedown: Disrupting the Infrastructure

The Role of Dutch Infrastructure

The Netherlands boasts one of the most highly connected digital infrastructures globally, with numerous data centers, particularly concentrated in and around Amsterdam. However, the investigation highlighted a concerning vulnerability: the relatively open nature of the hosting market and a perceived lack of sufficient oversight on hosting services made parts of the Dutch digital landscape an attractive hub for illegal operations, including hosting components of the Anyproxy network.

Servers Seized Worldwide

The culmination of Operation Moonlander occurred on Wednesday, May 7th. In a globally coordinated action, law enforcement agencies successfully seized and took offline the servers supporting Anyproxy and other related proxy services. This decisive move represents a significant victory in the ongoing battle against organized cybercrime, effectively dismantling a critical piece of the digital infrastructure that criminals relied upon.

Protect Yourself: Check Your Router!

The investigation into Anyproxy highlighted a crucial vulnerability that affects individuals worldwide: thousands of older, unupdated routers were unknowingly being exploited by criminals as proxies for activities like phishing and ransomware attacks.

Why Outdated Routers Are a Target

Outdated routers that no longer receive security updates are prime targets for cybercriminals. They represent an easy entry point into your home or business network.

What You Need to Do

It is essential to verify if your router is still supported by the manufacturer and if it regularly receives security updates.

• No Updates? Time to Upgrade: If your router isn’t receiving updates, it’s highly vulnerable and should be replaced.
• Understand the Risks: A compromised router can lead to significant problems, including slow internet, unreliable connections, or even the loss of personal data. Cybercriminals can access your network, infect your devices with malware, and use your connection for illegal activities without your knowledge.

The Call for Stronger Legislation

This successful operation sends a strong message that the Netherlands is determined to prevent its digital infrastructure from becoming a haven for criminals. However, achieving a lasting impact requires more than just takedowns; it necessitates improved legislation. Authorities, including those from the Amsterdam triangle (referring to the collaboration between police, public prosecution, and local government), have issued a clear call to the government for measures such as mandatory Know-Your-Customer (KYC) policies for relevant services and potentially addressing the issue of anonymous cryptocurrency payments being used for illicit activities.

Separately, the U.S. Department of Justice has announced charges against three individuals from Russia and one from Kazakhstan in connection with their alleged roles in both the Anyproxy and 5socks criminal proxy services.

For more information, see:

• https://www.justice.gov/usao-ndok/pr/botnet-dismantled-international-operation-russian-and-kazakhstani-administrators
• https://x.com/FBI/status/1920237529204166742?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet
• https://x.com/FBI/status/1920222337653145618?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Etweet