FBI takes down IPStorm malware botnet as hacker behind it pleads guilty

The FBI dismantled the IPStorm botnet proxy network and its infrastructure this week following a September plea deal with the hacker behind the operation.

The Justice Department said it took down the infrastructure associated with the IPStorm malware — which experts said infected thousands of Linux, Mac, and Android devices across Asia, Europe, North America and South America.

The botnet was first sighted by researchers in June 2019, primarily targeting Windows systems, and stood out to experts because it used the InterPlanetary File System (IPFS) peer-to-peer protocol to communicate with infected systems and relay commands. Cisco warned last year that IFPS was being exploited widely by hackers.

By 2020, several security companies discovered that the malware had expanded to versions that infected other devices and platforms. Cybersecurity journalist Catalin Cimpanu reported that the botnet grew from around 3,000 infected systems in May 2019 to more than 13,500 devices by 2020.

On Tuesday, the U.S. Justice Department said Sergei Makinin, a Russian and Moldovan national, pled guilty on September 18 to three hacking charges that each carry a maximum sentence of ten years in prison.

According to the DOJ, Makinin developed and deployed the malware from June 2019 to December 2022, using it to hack thousands of internet-connected devices around the world.

“Makinin controlled these infected devices as part of an extensive botnet, which is a network of compromised devices. The main purpose of the botnet was to turn infected devices into proxies as part of a for-profit scheme, which made access to these proxies available through Makinin’s websites, proxx.io and proxx.net,” the Justice Department explained.

“Through those websites, Makinin sold illegitimate access to the infected, controlled devices to customers seeking to hide their Internet activities. A single customer could pay hundreds of dollars a month to route traffic through thousands of infected computers. Makinin’s publicly-accessible website advertised that he had over 23,000 ‘highly anonymous’ proxies from all over the world.”

Makinin told officials that he made at least $550,000 from the scheme and agreed to forfeit all cryptocurrency related to the operation.

The DOJ said it disabled the infrastructure set up by Makinin but did not go so far as to remove the malware from victim devices — a controversial action the FBI has taken in several previous botnet takedowns.

The FBI’s office in San Juan, Puerto Rico led the investigation alongside FBI attaches in the Dominican Republic and Spain.

U.S. law enforcement agencies also worked with the Spanish National Police-Cyber Attack Group and several law enforcement agencies in the Dominican Republic.

The Justice Department also thanked Anomali Threat Research — one of the first companies to discover the malware — and Bitdefender, which also did extensive research into the botnet.

Alexandru Catalin Cosoi, senior director of the investigation and forensics unit at Bitdefender, confirmed that the company was involved in the investigation and told Recorded Future News that the Interplanetary Storm botnet was “complex and used to power various cybercriminal activities by renting it as a proxy as a service system over infected IoT devices.”

Cosoi said during Bitdefender’s research and analysis, clues about the identity of the cybercriminal were uncovered and offered to law enforcement.

“Our initial research back in 2020 uncovered valuable clues to the culprit behind its operation, and we are extremely pleased it helped lead to arrests,” Cosoi said.

“This investigation is another primary example of law enforcement and the private cybersecurity sector working together to shut down illegal online activities and bring those responsible to justice.”

The FBI and other U.S. law enforcement agencies have made a point of going after botnets in recent years.

In August, the FBI worked with an array of international law enforcement agencies to take down Qakbot — one of the most prolific and longest-running botnets. In May, the FBI targeted the Kremlin-backed Snake malware and conducted an operation to disrupt the Cyclops Blink malware.

But several of those takedowns — most notably that of Emotet — were criticized for lacking arrests, prompting worries that little would stop groups from simply reforming.

Joseph González, Special Agent in Charge of the FBI’s San Juan Field Office, added that the FBI’s goal is to “impose risk and consequences on our adversaries, ensuring cyberspace is no safe space for criminal activity.”

“It is no secret that in present times, much criminal activity is conducted or enabled through cybernetic means,” he said. “Cybercriminals seek to remain anonymous and derive a sense of security because they hide behind keyboards, often thousands of miles away from their victims.”