16-Year Botnet Takedown: 360,000 Infected Devices Across 163 Countries Shut Down in Joint Operation

The U.S. Department of Justice and Europol have dismantled SocksEscort, a massive botnet that operated for 16 years using 369,000 infected routers and IoT devices across 163 countries to facilitate cybercrime. The operation, which included authorities from nine countries, marks one of the largest botnet takedowns in recent history.

According to court documents, the botnet had approximately 8,000 active routers as of February 2026, with 2,500 located in the United States. The network primarily compromised home routers, access points, and IoT devices, selling access to criminals who used the infected machines to launch attacks from multiple worldwide locations simultaneously.

Scale and Scope of Criminal Operations

The SocksEscort network facilitated a wide range of criminal activities, resulting in millions of dollars in losses for U.S. victims. The Department of Justice cited specific cases including:

• A New York cryptocurrency customer who lost $1 million
• A Pennsylvania business that suffered $700,000 in losses
• Multiple Military Star card holders defrauded out of $100,000
• Distribution of child sexual abuse material (CSAM)
• Ransomware campaigns
• DDoS attacks
• Fraudulent insurance claims

Technical Infrastructure and Takedown

Europol seized 34 domains associated with the network and 23 servers across seven countries. The U.S. authorities also confiscated $3.5 million worth of cryptocurrency linked to the operation. The botnet's longevity—operating since approximately 2010—demonstrates the persistent nature of these threats and the challenges in detecting and dismantling such networks.

The Router Security Crisis

This takedown highlights a critical vulnerability in modern internet infrastructure. Home routers and IoT devices have become prime targets for cybercriminals due to several factors:

Default Vulnerabilities: Many devices ship with default credentials and unpatched security flaws that remain exploitable for years.

Abandoned Support: Manufacturers frequently discontinue software updates for older devices, leaving known vulnerabilities unpatched.

User Awareness Gap: The average consumer lacks awareness about firmware updates and basic device security practices.

Always-On Connectivity: Unlike traditional computing devices that users actively manage, routers and IoT devices operate continuously in the background, making them ideal for covert operations.

Prevention and Best Practices

Security experts emphasize several measures to protect against botnet infections:

• Regularly update device firmware when available
• Change default administrator credentials immediately after setup
• Disable remote management features unless absolutely necessary
• Segment IoT devices on separate network networks from primary devices
• Consider replacing older routers that no longer receive security updates
• Monitor network traffic for unusual patterns

Broader Implications

The SocksEscort takedown follows closely on the heels of the LeakBase operation, suggesting increased international cooperation in combating cybercrime infrastructure. The scale of this operation—spanning 163 countries and operating for 16 years—demonstrates both the sophistication of modern botnets and the resources required to dismantle them.

As Internet of Things devices continue to proliferate in homes and businesses worldwide, the attack surface for such operations will likely expand. This case serves as a stark reminder that the security of our connected world depends not just on individual device security, but on coordinated international efforts to combat criminal networks that exploit systemic vulnerabilities.

The success of this operation provides a model for future takedowns, but also underscores the need for manufacturers to prioritize long-term security support and for consumers to remain vigilant about the devices connecting to their networks.