Security Experts:

Connect with us

Hi, what are you looking for?



Law Enforcement Dismantle Infrastructure of Russian ‘RSOCKS’ Botnet

The United States on Thursday announced the takedown of a botnet operated by Russian cybercriminals that ensnared millions of devices worldwide.

The United States on Thursday announced the takedown of a botnet operated by Russian cybercriminals that ensnared millions of devices worldwide.

Dubbed “RSOCKS,” the botnet initially targeted Internet of Things (IoT) devices – including industrial control systems, routers, content streaming devices, and various smart devices – but later expanded to compromising Android devices and conventional computers as well.

The purpose of the botnet was to abuse the IP addresses of the compromised devices to reroute internet traffic for paying customers, thus allowing them to hide their real IPs.

Legitimate proxy services lease IP addresses from ISPs and then provide those IPs to their customers for a fee. The RSOCKS botnet offered access to the IP addresses of hacked devices without the permission or the knowledge of the owners.

Miscreants could access a web-based “storefront” where they could rent access to proxies for a specific time period. The RSOCKS botnet’s operators asked for $30 per day for access to 2,000 proxies, but the price could go up to $200 per day for access to 90,000 proxies.

Following the purchase, the customer was provided with a list of IP addresses and ports for the botnet’s backend servers and could start routing their internet traffic through the compromised devices.

The customers of proxy servers such as the RSOCKS botnet were likely launching large scale phishing campaigns and credential stuffing attacks against authentication services, and were hiding their real IPs when accessing compromised social media accounts, the US Department of Justice (DoJ) notes.

In order to identify the RSOCKS botnet’s infrastructure, FBI investigators made undercover purchases. In early 2017, they identified roughly 325,000 hacked victim devices, which were compromised via brute force attacks.

The investigation also revealed that, in addition to home businesses and individuals, the RSOCKS botnet had compromised large public and private entities, including a hotel, a university, an electronics manufacturer, and a television studio.

At three locations, with victims’ consent, the investigators replaced the compromised systems with government-controlled devices that acted as honeypots, and observed all three being subsequently compromised by RSOCKS.

The DoJ announced that US authorities worked together with law enforcement in Germany, the Netherlands, and the United Kingdom to take down the botnet’s infrastructure.

Related: Europol Announces Takedown of FluBot Mobile Spyware

Related: Russian Law Enforcement Take Down Several Cybercrime Forums

Related: Authorities Take Down DoubleVPN Service for Aiding Cybercriminals

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.