What is RSOCKS? A proxy service that hacked devices

Anton P. | July 13, 2022

RSOCKS was a proxy service allegedly providing clients with legit IP addresses leased from Internet Service Providers (ISPs). Customers had options of paying $30 a day for 2 thousand proxies or more for a higher price. RSOCKS also supplied a VPN service and an XMPP messaging server. Users could also choose proxies pinpointing locations in a specific country, like the US.

However, on June 16, 2022, the US Department of Justice seized RSOCKS proxies and services. Although advertising itself as a legitimate service, RSOCKS operated a pool of hacked devices secretly turned into proxy servers. Approximate estimates depict that the Russian-operated service likely compromised millions of devices worldwide.

What is RSOCKS? A proxy service that hacked devices

What is a proxy service?

RSOCKS was a proxy service, supplying customers with IP addresses for specific fees. In short, a proxy service provides access to servers standing as intermediaries between clients and their online destinations.

Therefore, proxy servers perform tasks on your behalf, meaning that your IP address does not get revealed. Some proxies also provide encryption of data, protecting customers’ activities further.

Usually, such services are in no way illegal or dangerous. People can use proxy or VPN services for many legitimate reasons:

  • For remote work, when some users are outside a particular network.
  • Safeguarding networks from malicious activities.
  • Combating unjust internet censorship or geo-blocks interfering with access to online information.
  • Hiding your actual location while browsing online.
  • Becoming more anonymous on the internet.

However, proxy services must offer IP addresses that they have the right to operate. Also, choosing reliable providers means finding convincing evidence that a proxy service does not log user activity information. Despite running a standard web-based storefront, RSOCKS did not qualify as a reliable provider.

What is the RSOCKS service?

The latest news states that Russian cybercriminals operated RSOCKS service, conducting large-scale attacks. The pool of proxies supplied by the service actually belonged to compromised victims’ devices. Reports suggest that such victims include private companies, educational facilities, businesses, and numerous individuals.

The RSOCKS investigation involved law enforcement agencies in the Netherlands, the UK, Germany, and the US Department of Justice. The joint effort focused on digging deeper into the internet-connected devices under RSOCKS control. The discovery classified RSOCKS as a botnet, hacking millions of devices worldwide. The corrupted devices included:

  • Common devices like computers or smartphones.
  • Industrial control systems.
  • Routers.
  • Streaming devices.
  • Smart garage door openers.
  • Time clocks.
  • And likely other Internet of Things (IoT) devices.

So, instead of supplying legitimately leased IP addresses, RSOCKS hacked devices and offered their addresses. Owners of devices and their related IP addresses did not permit their devices to be included in the service. Instead, criminals used brute force attacks to gain control over them.

How did investigators find out about shady dealings of the RSOCKS botnet?

FBI investigators aimed to get their hands on the backend infrastructure of RSOCKS. The operation began in 2017, with law enforcement purchasing RSOCKS services undercover. Then, they discovered over 300,000 hacked devices. According to reports, most were in the US, specifically in San Diego County.

The hackers retained a persistent connection to the hacked devices. Therefore, investigators obtained permission from three victims to set up honeypots. It meant replacing compromised devices with government-controlled ones.

Who used RSOCKS services?

Many unsuspecting clients likely used RSOCKS, believing it to be a legitimate proxy service. However, the main customers might have included cybercriminals, hiding behind victims’ IP addresses to conduct illegal activities. Thus, hackers hid the true source of traffic, likely compromising the unsuspecting IP address owners.

According to the US Department of Justice, hackers using RSOCKS conducted the following attacks:

  • Large-scale attacks against authentication services (credential stuffing).
  • Using compromised social media accounts.
  • Sending phishing or other deceptive emails.

Now, the RSOCKS.net website has been shut down and features a message from the US Department of Justice.

How to protect yourself from brute force attacks

RSOCKS botnet used brute force attacks to compromise victims’ devices. A brute force attack means hackers submit many combinations to crack passphrases or passwords. The potential login info can be random (dictionary attacks) or taken from databases of breached credentials.

Luckily, some changes to your devices and accounts can help you defend against brute force attacks:

  1. Use complex and lengthy passwords. Create combinations longer than 12 characters. They should contain special symbols, letters, and numbers. Additionally, avoid using words or personal information in your passwords.
  2. Do not keep using the same password. A unique password must protect each account you have.
  3. Apply 2FA whenever possible. Two-factor authentication can protect your device or account from danger even if perpetrators guess passwords correctly.
  4. Check whether your credentials are safe. Special online search engines can scan the web to find whether your login information has been compromised. Atlas VPN also offers a Data Breach Monitor, helping people discover whether their email and associated accounts are safe. Our feature also sends automatic alerts if it detects new threats.

Can you trust proxy services?

Proxy services act as middlemen between you and the internet. Therefore, they need to be reliable and offer the necessary security features. For instance, rerouting your traffic through a proxy server is no longer enough.

You should require a proxy service to encrypt internet traffic, stopping most snooping attempts. That includes ISPs and the proxy service itself. It is also essential to research a proxy service. For example, RSOCKS appeared legitimate at first glance. However, reviewers like TechRadar had mentioned that the lack of information about its owners raised some red flags.

Additionally, there might be some confusion regarding a VPN and a proxy service. They share use cases and functionalities to an extent. However, most proxies only cover web browsing, while VPNs deal with all internet traffic.

Proxy servers focus on rerouting data, with many services not offering encryption options. A VPN adds extra security by encrypting online traffic and rerouting it through remote servers. Therefore, a VPN should be your preferred choice in terms of security, anonymity, and privacy.

Browse safely & anonymously with a VPN

Browse safely & anonymously with a VPN

Encrypt your internet traffic and defend against online snooping, hackers, governments, or ISPs.
Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.


ip addressbrute force attackhoneypotcredential stuffing

© 2023 Atlas VPN. All rights reserved.