Feds Dismantle Russian Rsocks Botnet Powered by Millions of IoT Devices

The hackers behind Rsocks botnet used the hacked IoT devices as proxy servers where its customers would pay them for using the device’s IP address while the device owner remained unaware of the exploitation.

The US Department of Justice (DoJ) seized and dismantled a Russian botnet infrastructure, the operators of which hijacked millions of devices across the globe to offer IP proxy service.

The prosecutors alleged that Rsocks was in use by an undisclosed, notorious Russian hacker(s) running a sophisticated cybercrime organization. The gang offered web proxy service after hacking into millions of IoT devices, computers, laptops, and Android smartphones.

How did the Seizure happen?

In a press release, the DoJ confirmed the involvement of law enforcement agencies from the UK, the Netherlands, and Germany in this operation launched in 2017 by the Federal Bureau of Investigation (FBI).

Seized Rsocks website

The bureau secretly purchased proxies from Rsocks to track its infrastructure and located at least 325,000 infected devices in the US. Prosecutors claimed that the botnet conducted cyber intrusions within the US and abroad.

What are Proxy Servers?

Proxy service operators provide access to IP addresses to interested users for a fee. Though not inherently illegal, the service manages to bypass censorship and access geo-restricted content for the user.

In the case of Rsocks’ botnet, the hackers used the devices as proxy servers. The customers would pay them for using the compromised devices’ IP address while the device owner remained unaware of the exploitation.

“The owners of these devices did not give the RSOCKS operator(s) authority to access their devices in order to use their IP addresses and route internet traffic.”

Department of Justice

A Botnet Comprising 8M Residential Devices

As per the information shared by Rsocks on Twitter, the botnet had claimed 8 million residential devices and over a million mobile IPs. According to the prosecutors, Rsocks used brute force attacks to invade millions of devices and expand the botnet army illegally.

An archive copy of the now seized website

The operators not only victimized individuals and home businesses but also high-profile private and public entities, including a hotel, a university, a TV studio, and an electronics maker.

How Was Rsocks Used?

Reportedly, those intending to avail Rsocks proxies rented the access through an online storefront for different timelines and rates, ranging from $30/day for accessing 2,000 proxies to $200/day for 90,000 proxies.

After purchasing, the cybercriminals redirected malicious internet traffic via the IP addresses linked to the infected devices to hide their identity and launch various attacks such as credentials stuffing, hijacking social media accounts, or phishing messages.

This seizure comes just two weeks after the US authorities seized another illegal marketplace, SSNDOB, for stealing/selling the private data of around 24 million US citizens.

More Botnet Seizure News

Related Posts