Ddos 
Lumen Technologies’ Black Lotus Labs, in collaboration with the U.S. Department of Justice and the Dutch National Police, has uncovered and disrupted a stealthy proxy botnet that weaponized thousands of outdated and Internet of Things (IoT) devices to provide criminal anonymity-as-a-service.
Tracked for over a year, this botnet enabled cybercriminals to mask their activities behind seemingly legitimate residential IP addresses, facilitating a host of malicious campaigns ranging from ad fraud and brute-force attacks to data theft and DDoS operations.
“Through Lumen’s global backbone, we discovered a weekly average of 1,000 unique bots in contact with the command-and-control (C2) infrastructure,” the report states. “Over half of these victims are in the United States.”
This proxy network—operating since at least 2004—capitalized on unpatched and unsupported devices that had aged out of the vendor lifecycle. The attackers relied on known vulnerabilities in end-of-life routers and smart devices.
“In predatory fashion, they abuse equipment that has aged out of the vendor support lifecycle and cannot be patched or protected,” the report explains.
By embedding malware into these devices, operators created a shadow network of proxies that offered seamless access to users for cryptocurrency payments—with no authentication required. This open-access design, while facilitating legitimate rentals, also allowed other bad actors to hijack and abuse the service without payment.
The infrastructure was built around five servers located in Türkiye, with most traffic using HTTP on port 80. One server uniquely communicated via UDP on port 1443, suggesting a role in data collection or exfiltration.
“Users are allowed to connect directly with proxies using no authentication, which… can lead to a broad spectrum of malicious actors gaining free access.”
Buyers were presented with proxy details (IP and port) that changed daily, and notably, the system even checked each IP against deny-lists—giving buyers insight into how likely they were to bypass monitoring tools.
The botnet’s design enabled anonymity for hire, with infected devices posing a serious detection challenge. According to Lumen, “only around 10% are detected as malicious in popular tools such as VirusTotal,” allowing threat actors to operate under the radar for days at a time.
“When it comes to proxy services for malicious criminals, the most important attributes are location, stability, and anonymity,” Lumen researchers note.
This architecture bore a strong resemblance to previously analyzed services like NSOCKS and Faceless, both of which exploited the same attack surface and were advertised on underground forums.
Lumen null-routed traffic to and from the known C2 servers across its global backbone, effectively severing the botnet’s control channels. This international law enforcement effort was supported by contributions from cybersecurity company Spur and other research partners.
Donate