The website offered a paid IP proxy service, allowing its customers to hide their real IP addresses by giving them access to existing IP addresses around the world. Access to the affected IP addresses was made possible by infecting modems worldwide, belonging to individuals or organisations, with malware. After infection, the modems’ owners would not be aware that their IP addresses were being used for illegitimate activities. The service has compromised 369 000 routers and other devices across 163 countries and had a customer base of approximately 124 000 users.

To gain access to the proxy service, customers had to make payments through a payment platform. The platform made it possible to pay for the service anonymously using crypto currency. It is estimated that the payment platform received more than EUR 5 million from customers of the proxy service.

The international investigation revealed that servers used to spread the malware were located in France, Germany, Hungary, the Netherlands, Romania and the United States. To take down the servers, Eurojust ensured that European Investigation Orders were prepared, ready to be executed during the action day.

Judicial cooperation was coordinated by Eurojust. Authorities from France, Austria, the Netherlands and the United States came together several times in The Hague to exchange information and plan a coordinated strategy to take action. Judicial requests to Bulgaria, Germany, Hungary and Romania were transmitted through the Agency to prepare for the action day.

Europol supported the investigation with operational and analytical assistance, including crypto tracing, malware and network analysis, and cross-checks against its databases. On the action day, Europol hosted a Virtual Command Post at its headquarters in The Hague to support coordination between the authorities involved.

During a coordinated operation on 11 March, the infrastructure that used to run the proxy service was targeted. Authorities were able to take down 24 servers in seven countries and seize 34 domains. The infected modems used to offer the proxy service have been disconnected from the service. Approximately EUR 3.5 million in cryptocurrency was frozen by US authorities.

The actions were carried out by the following authorities:

• Austria: Criminal Intelligence Service Austria; Public Prosecutor’s Office Vienna
• Bulgaria: District Public Prosecution Office Plovdiv, General Directorate for Combating Organized Crime, Cybercrime Directorate
• France: Public Prosecution Office Paris J3 Anti-Cybercrime unit; Investigative Judge from JIRS/JUNALCO Financial and Cybercrime section - Court of Paris; National Police Cybercrime national Office (OFAC)
• Germany: Düsseldorf Police Headquarters; Central Contact Point for Cybercrime North Rhine-Westphalia (ZAC NRW)
• Hungary: Prosecution Service of Hungary; National Bureau of Investigation Cybercrime Department
• Netherlands: Public Prosecution Office Limburg; Police Limburg
• Romania: Prosecution Office of the High Court of Cassation and Justice; Directorate for investigation of Organized Crime and Terrorism, Central Office; Directorate for Combating Organized Crime, Central Cybercrime Unit; General Inspectorate of the Romanian Police
• United States: U.S. Department of Justice; U.S. Attorney's Office for the Eastern District of California