We look at how a high-anonymity socks vpn service that was running in over 132 countries was found to be using Bunitu infected victims. We will explore the Underground Economy and show several of these services in detail, reviewing their demographics and marketing material. We will look at the parallels with the Bunitu case and track back to a C2. This case has never been presented anywhere before.