The notorious IPStorm botnet proxy network, which first spun up in 2019 targeting Windows systems and two years later expanded to devices running other operating systems, is shut down and its creator in jail after pleading guilty to related criminal counts, according to the FBI.

The federal law enforcement agency said this week that it’s taken down the network and its infrastructure and that Sergei Makinin, a Russian and Moldovan national who ran the network from at least June 2019 to December 2022, in September pleaded guilty to three charges for running the operation and faces up to 30 years in prison.

No sentencing date has been announced.

The operation ends a four-plus-year run of a botnet that law enforcement authorities said reached around the world. Makinin’s website advertised that the botnet included more than 23,000 proxies collected from all over the world and Makinin said he collected at least $550,000 from the operation, the FBI said.

As part of his plea agreement, Makinin is forfeiting cryptocurrency wallets connected to the scheme.

Botnet Used by Other Cybercriminals

Makinin’s malware was used to turn infected devices into proxies that were part of a massive botnet that he would then offer access to through his websites, proxx[.]io and proxx[.]net.

“Through those websites, Makinin sold illegitimate access to the infected, controlled devices to customers seeking to hide their Internet activities,” the FBI said in a statement. “A single customer could pay hundreds of dollars a month to route traffic through thousands of infected computers.”

The thousands of infected internet-connected devices spanned countries around the world, including in Puerto Rico. The investigation was run by the FBI cyber team in San Juan and helped by the agency’s legal attaché offices in Madrid, Spain, and in Santo Domingo in the Dominican Republic, as well as law enforcement agencies in both countries and Interpol. The National Cyber-Forensics and Training Alliance, which includes cybersecurity vendors Bitdefender, Anomali, and Intezer.

“It is no secret that in present times, much criminal activity is conducted or enabled through cybernetic means,” Joseph González, Special Agent in Charge of the FBI’s San Juan Field Office, said in a statement. “Cybercriminals seek to remain anonymous and derive a sense of security because they hide behind keyboards, often thousands of miles away from their victims.”

The FBI noted that its capabilities in the case was limited to disabling the botnet’s infrastructure, so agents couldn’t use information of the owners or users of the infected computers within the infrastructure.

The botnet’s malware was called InterPlanetary Storm, given its use of the InterPlanetary File System peer-to-peer network, which allowed the infected systems in the botnet to communicate with each other directly and via nodes.

Malware Targeted Windows, Android, Linux Systems

The malware was built on the Go programming language, which was unusual at the time but now is in wide use by cybercriminals who are looking to use more modern languages to help evade detection. First uncovered by Anomali in 2019, the malware initially targeted Windows. However, a year later, researchers Bitdefender and Barracuda Networks detected a new variant that attacked Internet of Things (IoT) devices like TVs that ran on Android, systems that run Apple’s Mac OS, and machines like routers powered by Linux. Around the same time, Barracuda researchers noted that IPStorm was being used as a proxy-for-hire infrastructure to help other bad actors remain anonymous while running their schemes.

Barracuda at the time said that 59% of the infected systems were in Asia, with 25% located in Russia, Ukraine, Brazil, the United States, Canada, Sweden, and China. Others were scattered among other countries.

While Makinin charged bad actors access to the IPStorm botnet, most other botnets are used for such operations a distributed denial-of-service (DDoS) attacks and information stealing.

Botnets a Fast-Growing Growing Threat

In a report late last year, network visibility vendor Netscout said the accelerating shift by consumers and organizations to online services meant that cybercriminals would follow close behind, with threats like botnets continuing “to evolve in a variety of ways – from accelerated growth to new types of attacks to more-sophisticated ways of hiding. In short, botnets are a bigger risk to corporate security than ever before.”

That evolution is continuing. In 2022, Netscout counted 1.3 million DDoS-capable botnet nodes. In the first half of 2023, the vendor tracked 592,373 nodes.

“These nodes continue to power direct-path attacks targeting enterprises around the globe,” Netscout researchers wrote in a report his year. “Groups like Killnet have yet to go away and continue to add tools to their kit. They leverage malware families like Mirai, bend open proxy servers to their will, and leverage so-called bulletproof hosting providers to hide their activities while attempting to overwhelm enterprise defenses.”