A sophisticated criminal proxy botnet, active for over two decades, has been dismantled after infecting thousands of unpatched Internet of Things (IoT) and end-of-life (EoL) devices globally, providing a concealed infrastructure for malicious actors.
The takedown, a result of a coordinated effort by Lumen’s Black Lotus Labs in partnership with the U.S. Department of Justice, Federal Bureau of Investigation (FBI), and the Dutch National Police, marks a significant victory against a threat that blended criminal traffic with legitimate residential networks to obfuscate illicit activities.
Global Law Enforcement and Lumen Disrupt
Operating since at least 2004, this botnet maintained a shadowy yet resilient presence, offering thousands of hijacked residential IP addresses to paying customers on underground forums.
Research from Lumen revealed that, via their global backbone telemetry, an average of 1,000 active bots communicated weekly with the command-and-control (C2) servers-primarily located in Turkey.
Over half the compromised devices were traced to the United States, while Canada and Ecuador also reported substantial infections.
This persistence and targeting strategy have made the network as potent as infamous services like CloudRouter and Proxy.AM, despite not matching their scale.
The network’s straightforward monetization required payment in cryptocurrency and notably required no authentication for proxy access.
This open-access model drastically widened the risk, enabling a diverse array of criminals to leverage the infrastructure for purposes such as ad fraud, distributed denial-of-service (DDoS) attacks, brute-force campaigns, and even data exploitation.
By focusing on IoT and small office/home office (SOHO) devices long neglected by security updates, the botnet evaded standard monitoring tools, with only about 10% of infected proxies being flagged by platforms like VirusTotal.
This allowed malicious traffic to masquerade convincingly as ordinary user activity, compounding the challenge for defenders and incident responders.
Unpatched IoT Devices Fuel
Lumen’s intervention came after extensive monitoring and mapping of the botnet’s architecture.
Researchers identified that the C2 infrastructure relied on five primary servers in Turkey, with most victim communication occurring over HTTP port 80, and specialized functions using UDP on port 1443-likely for data exfiltration.
New victims were assimilated via classic exploits targeting unpatched or obsolete devices, eschewing novel vulnerabilities in favor of tried-and-tested attack surfaces that ensured persistent, low-noise control.
For botnet customers, purchasing a proxy granted access to a unique IP and port for 24 hours, with the frontend verifying that the IP was not on major deny-lists-a feature making these proxies especially attractive for bypassing security controls.
Notably, compromised proxies often remained undetected and open for repeated abuse, with access granted to anyone able to discover them, not just paying renters.
This enabled a variety of criminal operations to exploit the same infrastructure simultaneously, increasing the botnet’s utility and threat.
The coordinated disruption was executed by null-routing all traffic to and from the known C2 nodes across Lumen’s backbone, effectively severing botnet communications.
Lumen acknowledged Spur for support in research and confirmed that indicators of compromise and C2 details have been made available to the security community for broader defense.
This takedown highlights the enduring risk of EoL and IoT devices left unpatched in the wild, serving as a reminder that even legacy threats can maintain relevancy and resiliency for decades.
As more connected devices proliferate globally, the need for vigilance, cross-sector cooperation, and proactive defense against such proxy botnets remains critical in safeguarding internet security.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
