IPStorm botnet with 23,000 proxies for malicious traffic dismantled

The U.S. Department of Justice announced today that Federal Bureau of Investigation took down the network and infrastructure of a botnet proxy service called IPStorm.

IPStorm enabled cybercriminals to run malicious traffic anonymously through Windows, Linux, Mac, and Android devices all over the world.

In connection to the case, Sergei Makinin, a Russian-Moldovan national, pleaded guilty to three counts relevant to computer fraud and now faces a maximum penalty of 10 years in prison.

The DoJ announcement describes IPStorm as a proxy botnet enabling cybercriminals, scammers, and others, to evade blocks and remain anonymous by channeling their traffic through thousands of compromised devices in people’s homes, or offices.

Apart from unknowingly and involuntarily becoming cybercrime facilitators, the victims of IPStorm suffered the consequences of having their network bandwidth hijacked by malicious actors and risked receiving more dangerous payloads at any time.

Makinin’s proxying service was offered through the websites ‘proxx.io’ and ‘proxx.net,’ where it was advertised that it provided over 23,000 anonymous proxies worldwide.

“According to court documents, from at least June 2019 through December 2022, Makinin developed and deployed malicious software to hack thousands of Internet-connected devices around the world, including in Puerto Rico,” reads the U.S. DoJ announcement.

“The main purpose of the botnet was to turn infected devices into proxies as part of a for-profit scheme, which made access to these proxies available through Makinin’s websites, proxx.io and proxx.net” - U.S. Department of Justice

Makinin admitted that he made a profit of at least $550,000 from the proxy services he sold to others and agreed to forfeit cryptocurrency wallets holding the crime proceeds.

The law enforcement operation to dismantle the IPStorm botnet have not extended to victim computers.

Evolving since 2019

Technical details on the operation of IPStorm and its variants are available in a report report by Intezer, who assisted the FBI with info on the cybercrime operation, originally published in October 2020.

IPStorm started as a Windows-targeting malware that later evolved to target Linux architectures, including Android-based IoT devices.

Its authors followed a modular design approach with different Golang packages offering a set of dedicated functionality, keeping it lean and versatile across a range of target systems.

The malware used the InterPlanetary File System (IPFS) peer-to-peer network to hide its malicious activities and resist infrastructure takedown attempts. It featured SSH brute-forcing for spreading to adjacent systems, antivirus evasion, and persistence mechanisms.

Through this infrastructure, cybercriminals could use thousands of systems to route traffic and thus hide their tracks. The price for access to the IPStorm network could reach hundreds of dollars per month.

Multiple law enforcement organizations were involved in the investigation, including the Spanish National Police Cyber Attack Group, Dominican National Police-International Organized Crime Division, and Ministry of the Interior and Police-Immigration Directorate.