Four men have been charged by the U.S. Department of Justice for running an operation that turned hundreds of thousands of ordinary internet-connected devices — home routers, IP cameras, digital video recorders — into weapons capable of generating some of the most powerful distributed denial-of-service attacks ever recorded. The indictments, unsealed in recent days, expose a sophisticated criminal enterprise that monetized compromised Internet of Things devices on an industrial scale, selling attack-for-hire services to anyone willing to pay.
The cases center on two interrelated botnets: one known as Anyproxy and another called 5socks. Both were allegedly operated by four foreign nationals — three Russian and one Kazakhstani — who infected aging, vulnerable wireless routers with malware that conscripted the devices into massive proxy networks, according to KrebsOnSecurity. The infected devices were then rented out to cybercriminals who used them to mask their identities, launch DDoS attacks, or commit fraud. Federal authorities coordinated with private-sector partners to disrupt the botnets’ command-and-control infrastructure, effectively severing the link between the operators and the compromised devices.
But the takedown didn’t stop there. A parallel investigation targeted a far more destructive botnet — one responsible for record-shattering DDoS attacks exceeding 10 terabits per second. That operation led to the identification of a hacker known online as “Emonet,” whose real identity federal agents traced through a combination of digital forensics and old-fashioned investigative work. Emonet’s botnet was built by exploiting known vulnerabilities in IoT devices at a staggering pace, compromising thousands of devices per day and assembling an army of zombie machines that dwarfed previous botnets in sheer firepower.
The scale is hard to overstate. Ten terabits per second. That’s enough traffic to overwhelm the defenses of most major corporations, cloud providers, and even some national internet infrastructures. For context, the 2016 Mirai botnet attack that knocked major websites offline — including Twitter, Netflix, and Reddit — peaked at roughly 1.2 terabits per second. The attacks attributed to Emonet’s network represent a nearly tenfold escalation.
The Anyproxy and 5socks botnets operated somewhat differently from Emonet’s infrastructure, though the underlying principle was the same: exploit weak or outdated IoT devices, install persistent malware, and monetize access. According to the indictment materials reviewed by KrebsOnSecurity, the Anyproxy service had been running since at least 2015 and maintained a pool of thousands of compromised routers at any given time. The operators charged subscribers monthly fees to route their internet traffic through the hijacked devices, effectively laundering the subscribers’ real IP addresses. The service was marketed on underground forums and even maintained a public-facing website, operating with a brazenness that suggested its operators felt insulated from law enforcement.
They weren’t.
The four defendants — Alexei Viktorovich Chernykh, Kirill Vladimirovich Morozov, Aleksandr Aleksandrovich Shishkin, and Dmitry Rubtsov — now face charges including conspiracy, computer fraud, and wire fraud. All four remain at large, believed to be in Russia or Kazakhstan, where extradition to the United States is unlikely absent extraordinary diplomatic developments. Still, the indictments serve as a signal. The FBI, working alongside the Justice Department’s Computer Crime and Intellectual Property Section, is naming names and dismantling infrastructure even when arrests aren’t immediately possible.
The disruption of these networks required close collaboration between government agencies and private companies. Cybersecurity firms provided technical intelligence on the botnets’ infrastructure, helping federal agents map the command-and-control servers and identify the malware variants used to infect devices. Internet service providers cooperated to sinkhole malicious domains, redirecting traffic from compromised devices away from the criminals’ servers and toward controlled infrastructure where it could be analyzed and neutralized.
And then there’s the Emonet problem — arguably the more alarming half of this story.
The hacker behind that alias built a botnet capable of attacks that would have been considered theoretically impossible just a few years ago. The 10-terabit-per-second threshold isn’t just a new record; it represents a qualitative shift in the threat that botnets pose to global internet infrastructure. DDoS mitigation providers have been racing to expand their scrubbing capacity, but attacks of this magnitude strain even the largest commercial defenses. Cloudflare, one of the world’s biggest DDoS mitigation companies, has publicly documented attacks in the multi-terabit range in recent months, confirming that the threat is not hypothetical.
What made Emonet’s botnet so potent was a combination of volume and velocity. The operator didn’t rely on a single exploit or a narrow class of vulnerable devices. Instead, the botnet’s scanning and exploitation toolkit targeted a broad range of IoT devices — cameras, routers, network-attached storage boxes, smart home gadgets — cycling through known vulnerabilities at machine speed. Many of the targeted devices were running firmware that hadn’t been updated in years, if ever. Some were manufactured by companies that had gone out of business, leaving the devices permanently unpatched. Others were simply deployed by consumers and small businesses who had no idea their hardware was exposed to the internet, let alone compromised.
This is the fundamental tension at the heart of IoT security. The devices are cheap, ubiquitous, and frequently abandoned by their manufacturers long before they stop working. There’s no recall mechanism, no automatic update system for most of them, and no economic incentive for their owners to replace hardware that still functions. The result is a vast, growing population of vulnerable machines connected to the global internet — a permanent reservoir of raw material for botnet operators.
Federal officials have acknowledged this structural problem even as they celebrate the tactical victories. FBI Director’s recent public statements have emphasized that disruption operations, while necessary, are not sufficient to address the underlying vulnerability of the IoT supply chain. Legislative efforts to mandate minimum security standards for internet-connected devices have gained some traction in Congress, but comprehensive regulation remains elusive. The Cyber Trust Mark program, a voluntary labeling initiative launched by the Biden administration, aims to help consumers identify devices that meet basic security criteria, but adoption has been slow and the program lacks enforcement teeth.
The international dimension complicates matters further. The defendants in these cases are alleged to have operated from countries with limited law enforcement cooperation with the United States. Russia, in particular, has long been accused of tolerating or even tacitly encouraging cybercriminal activity conducted by its nationals against Western targets. The Kremlin has consistently denied such allegations, but the pattern is well-documented: Russian-speaking cybercriminals operate with relative impunity as long as they don’t target Russian entities.
So what happens next?
The sinkholing of the Anyproxy and 5socks infrastructure means that the compromised devices, while still infected, are no longer receiving instructions from the criminal operators. Over time, as devices are rebooted, replaced, or taken offline, the botnet will atrophy. But the malware remains on many of the affected routers, and absent active remediation — either by the device owners or their ISPs — those machines could be re-recruited by other botnet operators scanning for already-compromised hosts.
For Emonet’s botnet, the disruption is similarly temporary unless the underlying vulnerabilities are addressed. Security researchers who have tracked the botnet’s evolution say its operator demonstrated an unusual level of technical sophistication, rapidly integrating new exploits and adapting the malware’s communication protocols to evade detection. Even with the current infrastructure disrupted, rebuilding a botnet of comparable scale could take weeks, not months, given the sheer number of vulnerable IoT devices available.
The private sector’s role in these operations deserves scrutiny. Companies like Lumen Technologies, which operates the Black Lotus Labs threat intelligence team, and Cloudflare have been instrumental in identifying and tracking botnet infrastructure. Their cooperation with law enforcement has become increasingly formalized, with information-sharing agreements and joint technical operations that would have been unusual a decade ago. This public-private partnership model has produced tangible results, but it also raises questions about accountability, transparency, and the appropriate scope of private companies’ involvement in what are essentially law enforcement operations.
There’s a broader strategic context here, too. DDoS attacks are not just a nuisance. They are a tool of coercion, extortion, and geopolitical disruption. State-sponsored actors have used DDoS attacks to silence dissidents, disrupt elections, and punish adversaries. Criminal groups use them to extort businesses, demanding ransom payments in cryptocurrency to stop the flood of malicious traffic. The availability of botnets-for-hire — services like the ones allegedly operated by the defendants in these cases — lowers the barrier to entry for all of these activities. Anyone with a few hundred dollars and a grudge can rent enough firepower to knock a mid-sized company offline.
The indictments unsealed this week won’t end that problem. But they represent a meaningful escalation in the federal government’s willingness to pursue botnet operators aggressively, even across international borders and even when the prospects for extradition are slim. The message to the broader cybercriminal community is straightforward: anonymity is not guaranteed, infrastructure is not safe, and the cost of doing business just went up.
Whether that message is received — and whether it changes behavior — remains an open question. The economics of botnet operation still favor the attackers. The tools are freely available. The vulnerable devices number in the hundreds of millions. And the demand for anonymous proxy services and DDoS-for-hire shows no sign of declining.
For now, the FBI and its partners have won a battle. The war, as always, continues.


WebProNews is an iEntry Publication