In recent years, the FBI and law enforcement agencies of other countries have shut down several large proxy rental services because of botnets.
Similarly, other services are being eliminated because of the botnet. As a case in point, in January 2022, Google filed a lawsuit against two owners of the Russian Extracard Bank Card Service and the Dont.farm Accounts Service.
In each instance, a botnet refers to a computer network infected with malware. They use such networks for crypto mining, spreading viruses, DDoS attacks, user data collection, and so on.
VIP72
This proxy service was launched in 2006. It was intended as a tool to hide the real user location. According to security research, VIP72 mostly used compromised computers to redirect client traffic.
It is worth noting that the service was hosted on an American IP. Technadu analysts suggest that this allowed the FBI to shut down VIP72. Although there is no public information about the operation by special forces, the service went offline in August 2021.
Some users claim that the project amissed the rising competition and they weren’t able to put together a proper infrastructure. After all, the proxy market was quite different 15 years ago.
LUXSOCKS
LUXSOCKS was very popular with publishers from the CIS. The service provided proxies in different GEOs like the USA, Europe, Africa, and Asia. In January 2021, project representatives announced the closeout. They gave users ten days to spend their account balance.
LUXSOCKS representatives claimed the closeout as retirement, but due to its connection with the Unicc Carding Service, one may conclude that they were either shut down by authorities or weren’t able to operate on the same terms.
In the Unicc Store, they traded stolen credit card details and US social security numbers. According to several media reports, Russian resident Andrey Novak owned the project. His arrest was reported in January 2021.
The damage by The Infraud Organization, which was behind Unicc, is estimated at $586M. In fact, the FBI has been out for the members of this organization for many years in cooperation with the “K” Russian department. The latter detained the Infraud members.
In 2018, another head of the Infraud Organization, Russian hacker Sergey Medvedev, was arrested in Bangkok. During the domiciliary visit, they found wallets with 100,000 BTC in his possession. As a result, he was sentenced to ten years in prison.
RSocks
The service traded IPV4 proxies wholesale and apiece. RSocks users were able to use proxies in 51 countries. They also provided internally sourced VPN for safe surfing.
In June 2022, it was reported that the US Department of Justice neutralized the RSocks botnet, which was used for DDoS attacks and spamming. According to law enforcement officials, millions of computers were hacked by the botnet on a global scale.
On 16 June, the USDOJ reported a special op against a Russian botnet on the official website. According to public data, since 2017 FBI investigation officers have repeatedly purchased proxies to collect data about the RSocks infrastructure.
On 22 June, researchers of the KrebsOnSecurity Group disclosed the owner’s details: a 35-year-old Russian resident Denis Emeliantsev.
911.re
In July 2022, a closeup of another popular Chinese proxy rental service was reported. In a public statement, project representatives announced that it was repeatedly hacked during the past two years.
In the KrebsOnSecurity Blog, they posted a nice inquiry on 18 July, which said that for seven years straight, the 911.re service traded access to hundreds of thousands of computers around the world. Representatives of the proxy service claimed that they accessed the devices legally as users agreed to the terms of use of a free VPN.
The investigators concluded that 911 was supported by some kind of botnet infrastructure. One of the domains associated with the service was used for the ExE Bucks Affiliate Program, where they offered high rates for installing a potentially unreliable proxy.
According to Proxyway, the 911.re closeup has affected the proxy market as a whole. Since then, SOCKS5 and residential proxies traffic increased by 150-200%.
AWMProxy.net
This service was associated with the Glupteba botnet, Dont.farm, and Extracard Service. After Google’s statement about the lawsuit against the botnet’s owners, the AWM Proxy Service suddenly shut down after 14 years on the market.
KrebsOnSecurity researchers refer to AWM Proxy as the largest service for traffic redirection via hacked devices. The botnet was distributed via download affiliate programs.
After these events, AWM Proxy migrated to another domain and now offers customers the largest proxy database at affordable prices. They also claim that the service is administered by Russian law and blocks websites from Roskomnadzor’s blacklist.
VPN & Safe-Inet Hosting
The service referred to as a “bulletproof VPN” has been on the market since 2010. In 2020, the FBI reported an operation during which they blocked three VPN services used for phishing, account theft, and other fraudulent activities.
They arrested service providers in five countries. The server data was acquired by the law enforcement authorities for analysis. According to investigation findings, the intelligence agencies promised to serve charges against users who violated the law.
What’s the Future of Proxy Rental Services?
To somehow secure themselves from a brush with the law, proxy services insinuated verification via KYC (Know Your Customer). SOAX, the largest IP provider, recently announced the introduction of customer verification procedures.
To analyze user details, they use a Veriff KYC Platform. Before you can pay for the trial proxy package, you’ll see a notification with the verification requirements in your dashboard.
According to Proxyway experts, KYC integration will allow white proxy services to secure themselves from problems with authorities and to provide authorities with customer details upon request.
Some services like the SocksEscort do not consider KYC but impose limitations on FTUs. When RSocks closed, their server load increased dramatically and they temporarily suspended the option to create new accounts.
According to KrebsOnSecurity, SocksEscort uses a malware-based proxy network: the IP addresses they provide are associated with infected computers.
