In a recent security advisory, the FBI warned of a quietly growing cyber threat: outdated home and small business routers are being turned into tools for criminal anonymity.
Bad actors are compromising end-of-life (EoL) routers (devices no longer supported by their manufacturers) to install malware and conscript them into sprawling proxy networks like 5Socks and AnyProxy. Once infected, these routers become conduits for malicious traffic, obfuscating the true origin of cyberattacks and illicit activities.
“The botnets are used in various ways, such as launching coordinated attacks or selling access to the devices. With the 5Socks and Anyproxy network, criminals are selling access to comporomised routers as proxies for customers to purchase and use. The proxies can be used by treat actors to obfuscate their identity or location,” the FBI said.
Outdated Tech, Fresh Targets
The hardware in question isn’t fresh off the shelf. Many of these routers, mostly models from Linksys, Cisco, and Cradlepoint, were released over a decade ago. They no longer receive firmware updates, meaning they’re defenseless against modern exploits. They include Linksys E1200, E2500, WRT310N, Cisco M10, Cradlepoint E100, and similar legacy gear.
Attackers exploit well-documented vulnerabilities and inject persistent malware, often without needing a password. If remote administration features are left enabled, it is even easier.
Meet TheMoon Malware
At the heart of these attacks is a familiar name: TheMoon malware. First spotted in the wild back in 2014, it has evolved considerably. In another advisory, the FBI warned that the latest variant has been observed scanning the internet for vulnerable devices, exploiting open ports, and installing proxy services, all without user interaction.
Once a device is compromised, it phones home to a command-and-control (C2) server, awaiting instructions. These may include scanning for other routers to infect, expanding the botnet, and helping criminals reroute web traffic to cover their tracks.
Why Proxies Matter in Cybercrime
A proxy server acts like a middleman between a user and the Internet. Malefactors exploit this to mask their real IP addresses, making their actions appear to come from legitimate residential networks. That means when attackers are logging into stolen crypto wallets, buying illegal services, or launching phishing attacks, an innocent bystander’s router could be doing the dirty work, without their knowledge.
These aren’t just isolated, low-level nuisances. This kind of proxy network is sold on the dark web to other criminals, creating a cascade effect where one vulnerable device can facilitate dozens of crimes.
Signs of Compromise
There are several telltale signs that a router has been hijacked:
- Internet connectivity that is suddenly sluggish or unreliable
- Devices overheating or randomly rebooting
- Settings changed without manual intervention
- Remote management mysteriously turned on
Protecting Users, Businesses
The FBI offers practical steps to protect users and businesses:
- Replace outdated routers: If your device is no longer supported, it’s time for an upgrade.
- Disable remote admin: This is one of the most exploited features—turn it off immediately.
- Update firmware: If patches are still available, apply them now.
- Use strong, unique passwords: Long, random, and not reused across devices or accounts.
- Reboot and reset: If you suspect foul play, reset your router and change all associated credentials.
Anyone who believes their router has been compromised or used as part of a proxy network is advised to:
- Report the incident to the FBI’s Internet Crime Complaint Center at www.ic3.gov
- Notify their ISP or account provider
- Change all related passwords and monitor for suspicious activity
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.