Key takeaways
- There was no clean "shutdown" and no publicly reported law-enforcement seizure of Faceless. The pivotal event was a network-level disruption by Lumen's Black Lotus Labs on March 26, 2024, not an arrest or a domain seizure.
- The original brand is now defunct:
faceless.cc is offline (it does not respond in our checks), and researchers who track it describe Faceless as "now defunct" and assess it rebranded as "Doppelgänger" around May–June 2025 on a new botnet called KadNap.
- Faceless was powered by "TheMoon" botnet — not Ngioweb/NSOCKS. If you have seen Faceless lumped in with the Ngioweb/"Water Barghest" story, that is a different network; getting the plumbing right matters here.
Status checked July 19, 2026. Short answer to "when did Faceless close?": there is no single, official closure date. The service was publicly disrupted on March 26, 2024; its website faceless.cc is offline (unreachable in our checks and flagged down by uptime monitors since at least mid-2025); and security researchers now treat the Faceless brand as defunct, with its operation assessed to have re-emerged as "Doppelgänger" in 2025. So "it shut down a while ago" is broadly true in spirit — but it was a slow disruption-and-rebrand, not a clean takedown.
If you are asking "what happened to Faceless — did it get shut down, and when?", the honest answer is more interesting than a single seizure date. Faceless was one of the longest-running criminal anonymity services on the Russian-speaking underground. It was not dismantled by a raid on a fixed date; it was slowly strangled by an industry disruption, went dark, and appears to have re-emerged under a new name. Below is the dated, sourced timeline, with the facts separated from the guesswork.
What Faceless actually was#
Faceless was a malware-based anonymity/proxy service — commonly reached at the domain faceless.cc — that rented access to tens of thousands of compromised devices so that customers could route traffic through them and hide their real origin. For years it advertised proxy access for less than a dollar a day, required no identity verification (no KYC), and accepted cryptocurrency only — ideal conditions for anyone who wanted to launder the origin of malicious traffic.
According to KrebsOnSecurity, Faceless was run by a Russian-speaking cybercrime figure using the handle "MrMurza," active on underground forums since at least 2012. Faceless did not appear from nowhere: it grew out of an earlier anonymity service called "iSocks," which launched in 2014. Around September 2016, MrMurza told iSocks users the service was being phased out in favor of Faceless, offering free migration before new registration fees (reported at $50–$100) kicked in. In other words, the Faceless brand has roots going back roughly a decade.
Unlike the "residential proxy" brands caught up in the 2026 takedowns — many of which resell and whitelabel each other's supply — Faceless ran its own botnet-fed pool. That is an important distinction we will keep coming back to.
What powered it: TheMoon, not Ngioweb#
A common point of confusion is worth clearing up. Faceless was fed by a botnet called "TheMoon" — malware that hijacked end-of-life small office / home office (SOHO) routers and IoT devices. It was not the Ngioweb botnet, and it is not the same thing as the NSOCKS service or the "Water Barghest" actor that researchers tie to Ngioweb. Those are a separate ecosystem. If you have seen Faceless mentioned in the same breath as Water Barghest, that conflation is common but incorrect.
Lumen's Black Lotus Labs assessed TheMoon as the primary, if not the only, supplier of bots to Faceless. In its telemetry, the overlap between the two was extreme — in one ten-day window, roughly 80–90% of devices talking to Faceless control servers had also talked to TheMoon's. The devices were disproportionately located in the United States (~80% of Faceless bots), and the service was used to hide traffic for malware operators such as SolarMarker and IcedID.
The dated timeline#
2014 — the "iSocks" precursor launches#
MrMurza opens iSocks, advertised on Russian-language crime forums as a way to route traffic through compromised computers.
September 2016 — Faceless takes over from iSocks#
Existing iSocks users are pushed to migrate to Faceless, which becomes the flagship anonymity brand.
April 2023 — KrebsOnSecurity profiles Faceless#
Krebs publishes a detailed investigation ("Giving a Face to the Malware Proxy Service 'Faceless'"), documenting the operator, the pricing, and the service's decade of history. At this point Faceless is very much alive.
March 26, 2024 — the disruption (the closest thing to a "shutdown" date)#
Lumen's Black Lotus Labs publicly disclosed the Faceless/TheMoon operation and announced it had blocked all traffic to and from the dedicated infrastructure associated with both across Lumen's global network, and released indicators of compromise (IoCs) so others could do the same. Their reporting described a network that had grown to over 40,000 bots across 88 countries in early 2024, including a single campaign that compromised more than 6,000 ASUS routers in under 72 hours. This is the event most people mean when they say Faceless "got taken down" — but note carefully what it was: a network-level disruption by a private company, not a law-enforcement seizure. There were no publicly reported arrests and no seizure banner on the domain.
2024–2025 — the site goes dark#
Following the disruption, faceless.cc stopped being reliably reachable. Public uptime checks show the domain timing out from multiple continents by mid-2025, and it remains unreachable in our own checks.
May–June 2025 — "Doppelgänger" appears#
A new criminal proxy service called "Doppelgänger" launched. Researchers at Lumen's Black Lotus Labs, working with Spur, assess Doppelgänger to be a functional rebrand of the now-defunct Faceless service.
March 10, 2026 — the KadNap disclosure ties it together#
Lumen published research on a new peer-to-peer botnet it calls "KadNap" (built on a custom Kademlia DHT, primarily hijacking ASUS routers, ~14,000 daily victims). KadNap's bots are sold through Doppelgänger — the service Lumen and Spur link back to the defunct Faceless. This is the clearest public confirmation that the operation did not simply die; it changed clothes.
So — when did Faceless "close"?#
Put plainly: Faceless was never formally shut down on a single announced date, and there is no public record of a police seizure or arrest. The realistic answer to "when did it close" is a window, not a date:
- March 26, 2024 is the defensible turning point — the public disruption that broke its infrastructure.
- Through 2024–2025 the
faceless.cc site went and stayed offline.
- By 2025 researchers were describing the brand as defunct, with its operation rebranded as Doppelgänger.
So if someone tells you "Faceless shut down a while ago," they are broadly right about the outcome — the original brand is gone — but the mechanism was a slow disruption and rebrand, not a clean takedown.
What it means for you#
For the overwhelming majority of legitimate proxy users, the direct answer is simple: Faceless was never a service you should have been using. It was an explicitly criminal, botnet-fed anonymity tool built on hijacked routers belonging to ordinary people. Its disappearance is good news, not a gap in the market to fill.
The broader lesson is the one running through all of our 2026 coverage: cheap "anonymity" that hides its sourcing is almost always someone else's compromised hardware. The Faceless-to-Doppelgänger story shows how resilient these operations are — disrupt the infrastructure and the operators rebuild on a fresh botnet under a new name. That is exactly why chasing the lowest-cost, no-questions-asked pool is a losing game.
Honest guidance#
- Do not go looking for a "Faceless replacement." Services in that category exist to launder malicious traffic through victims' devices; using them carries legal and ethical risk, not just reliability risk.
- If you need proxies for legitimate work (data collection, ad verification, QA), choose providers that can explain how their pool is sourced, what device owners consent to, and how they are compensated — and verify live health before committing budget.
- Treat "it still resolves" as meaningless. With Faceless the domain went dark; with rebrands like Doppelgänger the infrastructure simply moves. A reachable login page is not evidence a network is safe or stable.
- Keep perspective on the wider crackdown. Faceless is an older, self-run malware proxy — a different story from the 2026 residential-proxy takedowns. For that separate wave, see our 2026 proxy takedown tracker and the NetNut FBI seizure report.
FAQ#
Did Faceless get shut down, and when?#
Not by a clean seizure. The closest thing to a shutdown date is March 26, 2024, when Lumen's Black Lotus Labs publicly disrupted the Faceless/TheMoon infrastructure by null-routing its traffic and releasing IoCs. There is no publicly reported arrest or domain seizure. The site faceless.cc went offline afterward and researchers now call the brand defunct.
Is Faceless still around under another name?#
Researchers assess that the operation re-emerged as "Doppelgänger" around May–June 2025, powered by a new peer-to-peer botnet called KadNap (disclosed by Lumen in March 2026). So the brand "Faceless" is gone, but the underlying criminal proxy business appears to have continued under a new name.
Was Faceless the same as Ngioweb, NSOCKS, or Water Barghest?#
No. Faceless was fed by TheMoon botnet. Ngioweb (tied to the NSOCKS service and the "Water Barghest" actor) is a separate botnet and ecosystem. They are frequently confused because both abuse SOHO routers, but they are not the same network.
Who ran Faceless?#
According to KrebsOnSecurity, Faceless was operated by a Russian-speaking cybercrime figure using the handle "MrMurza," and it grew out of the earlier "iSocks" service that launched in 2014.
Is it safe to buy a "Faceless" proxy today?#
There is nothing legitimate to buy. Any site claiming the Faceless name now is at best a shell of a defunct criminal service and at worst a scam or a rebrand routing through hijacked devices. Avoid it.
Sources#
- KrebsOnSecurity — "Giving a Face to the Malware Proxy Service 'Faceless'" (April 2023).
- Lumen, Black Lotus Labs — "The darkside of TheMoon" / "Lumen Disrupts Cybercriminals Targeting Home and Office Routers" (March 26, 2024).
- Lumen, Black Lotus Labs — "Silence of the hops: the KadNap botnet" (March 2026), assessing Doppelgänger as a rebrand of the now-defunct Faceless.
- Spur (cited by Lumen) — attribution linking KadNap/Doppelgänger to the former Faceless proxy service.
- ProxyRadar check of
faceless.cc (July 19, 2026): domain unreachable.
Update log#
- March 26, 2024: Lumen's Black Lotus Labs discloses and disrupts the Faceless/TheMoon operation.
- Mid-2025:
faceless.cc observed offline by uptime monitors; brand described as defunct.
- May–June 2025: "Doppelgänger" launches; assessed as a Faceless rebrand.
- March 10, 2026: Lumen publishes KadNap research tying Doppelgänger back to the former Faceless service.
- July 19, 2026: ProxyRadar confirms
faceless.cc still unreachable.