The US Department of Justice announced that the Federal Bureau of Investigation took down the network and infrastructure of a botnet proxy service called IPStorm. IPStorm allowed cybercriminals to anonymously execute malicious traffic across Windows, Linux, Mac and Android devices worldwide.

In the case, Serhiy Makinin, a citizen of Russia and Moldova, pleaded guilty to three counts of computer fraud and now faces a maximum sentence of 10 years in prison. The Justice Department’s notice describes IPStorm as a proxy botnet that allows cybercriminals, scammers and others to avoid interception and remain anonymous by routing their traffic through thousands of compromised devices in people’s homes or offices.

In addition to unwittingly or unwittingly becoming facilitators of cybercrime, IPStorm victims also suffered the consequences of having their network bandwidth hijacked by attackers and were at risk of receiving more dangerous payloads at any time. Makinin’s proxy service was offered through the websites “proxx.io” and “proxx.net”, which advertised providing more than 23,000 anonymous proxy servers worldwide.

“According to court documents, between at least June 2019 and December 2022, Makinin developed and distributed malware to compromise thousands of internet-connected devices worldwide, including in Puerto Rico,” the U.S. Department of Justice said in a statement. said.

“The primary purpose of the botnet was to turn infected devices into proxy servers as part of a commercial scheme that enabled access to these proxy servers through the Makinin, proxx.io, and proxx.net websites” – U.S. Department of Justice.

Makinin admitted to making at least $550,000 in profits from proxy services he sold to others and agreed to forfeit the cryptocurrency wallets holding the proceeds of crime. The law enforcement operation to take down the IPStorm botnet did not involve victim computers.

In development since 2019

Technical details on how IPStorm works and its variants are available in a report first published in October 2020 by Intezer, which assisted the FBI with information regarding a cybercrime operation. IPStorm started as malware targeting Windows and later evolved to target Linux architectures, including Android-based IoT devices.

Its authors followed a modular design approach, with various Golang packages offering a range of specialized functionalities while remaining compact and versatile for target systems. The malware used the InterPlanetary File System (IPFS) peer-to-peer network to hide its malicious activity and resist attempts to destroy the infrastructure. Introduced SSH selection, antivirus protection, and storage mechanisms for deployment to adjacent systems.

Thanks to this infrastructure, cybercriminals can use thousands of systems to redirect traffic and thus hide their tracks. The price of IPStorm network access can reach hundreds of dollars per month.

Several law enforcement agencies participated in the investigation, including the Cyber ​​Attack Unit of the Spanish National Police, the Dominican National Police – International Organized Crime Unit, the Ministry of Internal Affairs and the Police and Immigration Directorate. Source