20-Year Proxy Botnet Using IoT Devices Dismantled

A decades-old proxy botnet that hijacked thousands of vulnerable internet-connected devices has been dismantled in a coordinated operation involving Lumen Technologies’ Black Lotus Labs, the FBI, the U.S. Department of Justice and the Dutch National Police. Active since 2004, the botnet exploited unpatched Internet of Things (IoT) and end-of-life (EoL) devices, primarily in residential networks, to create a proxy service used for ad fraud, DDoS attacks and brute-force operations.

Black Lotus Labs tracked the botnet for over a year, identifying an average of 1,000 new infections weekly, mostly in the U.S., Canada and Ecuador. Command servers in Turkey controlled the network, which was marketed with a “rent-a-proxy” model accepting cryptocurrency and lacking authentication.

Lumen neutralized the operation by null-routing traffic to the botnet’s infrastructure. The company also released indicators of compromise to support defenders. The takedown underscores the growing risk posed by unpatched IoT devices and residential proxy abuse.