The Federal Bureau of Investigation (FBI) dismantled an international botnet comprising more than 23,000 proxies after the hacker responsible for the network reached a plea deal with authorities.
Sergei Makinin, a Russian and Moldovan national, is facing a lengthy prison term after he pled guilty to three hacking-related charges, each carrying a maximum 10-year sentence.
Makinin’s botnet proxy network, known as IPStorm or InterPlanetary Storm, was first observed in 2019 by Anomali. It was unusual because it used a peer-to-peer (p2p) network running on the InterPlanetary File System’s (IPFS) p2p network protocol.
“The use of a legitimate p2p network can make it difficult to discover the malicious traffic as it potentially is blended in with legitimate traffic to the legitimate p2p network,” Anomali researchers said at the time.
The botnet initially targeted Windows systems before expanding to infect Linux, Mac, and Android devices. Computers and other devices from around the world, including in North and South America, Europe, and Asia, were ensnared in the network.
In a Nov. 14 statement, the U.S. Department of Justice said Makinin controlled the “extensive” botnet from at least June 2019 through December 2022. Using a pair of websites he owned, proxx[.]io and proxx[.]net, he sold access to customers who were seeking to hide their internet activities.
“A single customer could pay hundreds of dollars a month to route traffic through thousands of infected computers,” the DoJ said. “Makinin’s publicly accessible website advertised that he had over 23,000 ‘highly anonymous’ proxies from all over the world.”
Makinin told authorities he made at least $550,000 from the scheme and, as part of the plea deal, agreed to forfeit cryptocurrency linked to the offending.
In October 2020, not long after IPStorm’s reach had been expanded beyond Windows devices, researchers at Barracuda estimated the botnet had already infected approximately 13,500 machines in 84 countries.
The researchers said IPStorm gained access to new machines by running a dictionary attack against SSH servers.
“It can also gain entry by accessing open ADB (Android Debug Bridge) servers. The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other IoT devices,” the Barracuda researchers said.
Makinin’s case was prosecuted in Puerto Rico, where some of the infected devices were located. The FBI’s investigation was headed by the bureau’s San Juan cyber team with cooperation from authorities in Spain and the Dominican Republic. Researchers from Bitdefender, Anomali and Intezer also assisted the investigation, the DoJ said.
“This case serves as a warning that the reach of the law is long, and criminals anywhere who use computers to commit crimes may end up facing the consequences of their actions in places they did not anticipate,” said U.S. Attorney Stephen Muldrow.
“The FBI’s cyber mission has been to impose risk and consequences on our adversaries, ensuring cyberspace is no safe space for criminal activity,” said Joseph González, special agent in charge of the FBI’s San Juan Field Office. “This case is one example of how we are doing just that.”
