{
	"id": "414f362b-c13d-4e1b-b0a5-43242ed2ace0",
	"created_at": "2026-04-06T00:19:53.361333Z",
	"updated_at": "2026-04-10T13:12:18.768595Z",
	"deleted_at": null,
	"sha1_hash": "4781919ba0563c02cf491e7072d0c087a948a821",
	"title": "Botnet Dismantled in International Operation, Russian and Kazakhstani Administrators Indicted",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56594,
	"plain_text": "Botnet Dismantled in International Operation, Russian and\r\nKazakhstani Administrators Indicted\r\nPublished: 2025-05-09 · Archived: 2026-04-02 10:57:57 UTC\r\nTULSA, Okla. – A domain seizure warrant was unsealed, along with an indictment charging four foreign national\r\nhackers with conspiracy and other computer crimes, announced U.S. Attorney Clint Johnson.\r\nRussian nationals, Alexey Viktorovich Chertkov, 37, Kirill Vladimirovich Morozov, 41, Aleksandr\r\nAleksandrovich Shishkin, 36, and Dmitriy Rubtsov, 38, a Kazakhstani national, were charged with\r\nConspiracy and Damage to Protected Computers for conspiring with others to maintain, operate, and profit from\r\nbotnet services known as Anyproxy and 5socks.\r\nThe Indictment alleges that a botnet was created by infecting older-model wireless internet routers worldwide,\r\nincluding in the United States, using malware without their owners’ knowledge. The installed malware allowed the\r\nrouters to be reconfigured, granting unauthorized access to third parties and making the routers available for sale\r\nas proxy servers on the Anyproxy.net and 5socks.net websites. Both website domains were managed by a\r\ncompany headquartered in Virginia and hosted on computer servers worldwide.\r\nAdditional court documents reveal that the 5socks.net website advertised more than 7,000 proxies for sale\r\nworldwide, including in the United States. Users paid a monthly subscription fee, ranging from $9.95 to $110 per\r\nmonth. The website's slogan, “Working since 2004!”, indicates that the service has been available for more than\r\n20 years. The defendants are believed to have amassed more than $46 million from selling access to the infected\r\nrouters that were part of the Anyproxy botnet.\r\nChertkov and Rubtsov are additionally charged with False Registration of a Domain Name. They allegedly falsely\r\nidentified themselves when they registered and used the domains Anyproxy.net and 5socks.net during the\r\ncommission of these \r\nfelony crimes.\r\nDuring the investigation, the FBI’s Oklahoma City Cyber Task Force discovered that business and residential\r\nrouters in Oklahoma had malware installed without the users' knowledge.\r\nPursuant to a seizure warrant in the Eastern District of Virginia and in conjunction with the unsealing of the\r\nIndictment in the Northern District of Oklahoma, the FBI seized the Anyproxy.net and 5socks.net domain names.\r\nThe botnet overseas was also seized and disabled by foreign law enforcement partners. \r\nThe FBI Oklahoma City Cyber Task Force is investigating the case.\r\nAssistant U.S. Attorneys George Jiang and Christopher J. Nassar, with the Northern District of Oklahoma, are\r\nprosecuting the case, along with Ryan K.J. Dickey and Jane Lee, Senior Counsel from the Computer Crime and\r\nIntellectual Property Section.\r\nhttps://www.justice.gov/usao-ndok/pr/botnet-dismantled-international-operation-russian-and-kazakhstani-administrators\r\nPage 1 of 2\n\nThe Justice Department collaborated closely with investigators and prosecutors from multiple jurisdictions in this\r\ninvestigation, including the Eastern District of Virginia, the Dutch National Police – Amsterdam Region, the\r\nNetherlands Public Prosecution Service (Openbaar Ministerie), and the Royal Thai Police. Black Lotus Labs of\r\nLumen Technologies, Inc., provided significant assistance and worked closely with investigators.\r\nAn indictment is merely an allegation, and all defendants are presumed innocent until proven guilty beyond a\r\nreasonable doubt in a court of law.\r\nVictim Assistance Advisory for Owners of Wireless Internet Routers Infected by\r\nthe Anyproxy/5socks Malware\r\nOn July 23, 2025, the U.S. District Judge John D. Russell issued an order directing the government to provide\r\nnotice to potential victims in the United States v. Alexey Viktorovich Chertkov, et al., criminal case number, 25-\r\nCR-160.\r\nIn May 2025, an Indictment was unsealed charging four foreign national hackers for conspiring with others to\r\nmaintain, operate, and profit from botnet services known as Anyproxy and 5socks. The Indictment alleges that a\r\nbotnet was created by infecting older-model wireless internet routers worldwide, including in the United States,\r\nusing malware without their owners’ knowledge.\r\nThe installed malware allowed the routers to be reconfigured, granting unauthorized access to third parties and\r\nmaking the routers available for sale as proxy servers on the Anyproxy.net and 5socks.net websites. As part of the\r\ninvestigation, the FBI executed a federal search warrant directed at the infected devices located in the United\r\nStates and further remediated the security vulnerabilities in 547 of them.\r\nMembers of the community who believe they may be the victim of this botnet may contact Victim Witness\r\nCoordinator and Supervisor, Brandi Duvall at 918-382-2700. For more information regarding the malware, please\r\nsee Alert Number I-050725-PSA and FLASH-20250507-001 listed on the Internet Crime Complaint Center.\r\nCourt Documents\r\nSource: https://www.justice.gov/usao-ndok/pr/botnet-dismantled-international-operation-russian-and-kazakhstani-administrators\r\nhttps://www.justice.gov/usao-ndok/pr/botnet-dismantled-international-operation-russian-and-kazakhstani-administrators\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.justice.gov/usao-ndok/pr/botnet-dismantled-international-operation-russian-and-kazakhstani-administrators"
	],
	"report_names": [
		"botnet-dismantled-international-operation-russian-and-kazakhstani-administrators"
	],
	"threat_actors": [],
	"ts_created_at": 1775434793,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4781919ba0563c02cf491e7072d0c087a948a821.pdf",
		"text": "https://archive.orkl.eu/4781919ba0563c02cf491e7072d0c087a948a821.txt",
		"img": "https://archive.orkl.eu/4781919ba0563c02cf491e7072d0c087a948a821.jpg"
	}
}