A coordinated international operation has taken down SocksEscort, a criminal proxy service that enslaved 369,000 residential routers across 163 countries to facilitate large-scale fraud, ransomware, and other cybercrimes.
A major international law enforcement operation has successfully dismantled SocksEscort, a sophisticated criminal proxy service that compromised hundreds of thousands of residential routers worldwide to facilitate large-scale cybercrime. The takedown, announced by authorities from the United States, Europe, and other nations, represents one of the most significant disruptions of criminal infrastructure in recent years.
According to the U.S. Department of Justice, SocksEscort operated by infecting home and small business internet routers with specialized malware, allowing criminals to route their internet traffic through these compromised devices. This technique effectively masked the true origin of malicious activities, making it extremely difficult for victims and law enforcement to trace criminal operations back to their source.
The scale of the operation was staggering. Since summer 2020, SocksEscort offered access to approximately 369,000 different IP addresses across 163 countries. At its peak in February 2026, the service listed nearly 8,000 actively infected routers, with 2,500 of these located in the United States. The service was particularly brazen in its marketing, advertising "static residential IPs with unlimited bandwidth" that could bypass spam blocklists.
Pricing reflected the service's criminal nature. A basic package of 30 proxies cost $15 per month, while bulk buyers could purchase 5,000 proxies for $200 monthly. This pricing structure made the service accessible to various criminal actors, from individual fraudsters to organized cybercrime groups.
The real-world impact of SocksEscort's operations was severe. Authorities documented multiple instances of significant financial losses directly linked to the proxy service. A cryptocurrency exchange customer in New York lost $1 million worth of digital assets. A manufacturing business in Pennsylvania suffered a $700,000 fraud. Military personnel with MILITARY STAR cards were defrauded out of $100,000. These cases represent just a fraction of the total damage caused by the network.
Europol, which coordinated the international effort codenamed Operation Lightning, revealed that the botnet facilitated various criminal activities beyond financial fraud. These included ransomware attacks, distributed denial-of-service (DDoS) campaigns, and the distribution of child sexual abuse material. The operation involved authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the United States.
The technical infrastructure behind SocksEscort was equally sophisticated. The service relied on malware called AVrecon, which was publicly documented by Lumen Black Lotus Labs in July 2023 but had been active since at least May 2021. AVrecon targeted approximately 1,200 device models from major manufacturers including Cisco, D-Link, Hikvision, Mikrotik, Netgear, TP-Link, and Zyxel.
AVrecon's capabilities extended far beyond simple proxy functionality. The malware could establish remote shells to attacker-controlled servers and act as a loader for downloading and executing arbitrary malicious payloads. To maintain persistence, the threat actors exploited devices' built-in update mechanisms to flash custom firmware images containing AVrecon. These modified firmware versions disabled the device's update and flashing features, effectively locking victims into permanent infection.
The FBI noted that AVrecon is written in C language and primarily targets MIPS and ARM devices. The malware exploits critical vulnerabilities such as Remote Code Execution (RCE) and command injection to compromise SOHO (small-office/home-office) routers. Over the past several years, SocksEscort maintained an average of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes.
As part of the takedown, authorities seized 34 domains and 23 servers located across seven countries. Additionally, law enforcement froze approximately $3.5 million in cryptocurrency linked to the operation. Europol also highlighted that customers used a specialized payment platform to anonymously purchase proxy access using cryptocurrency, with the platform receiving over EUR 5 million from proxy service customers.
The disruption of SocksEscort represents a significant victory for international law enforcement in the ongoing battle against cybercrime infrastructure. However, experts warn that similar services likely exist and that the underlying vulnerabilities in residential routers remain a persistent threat. The case underscores the importance of keeping router firmware updated and the need for manufacturers to address security vulnerabilities promptly.
For consumers, the takedown serves as a reminder of the hidden risks in everyday technology. Many users may be unaware that their home routers could be unwittingly participating in criminal activities. Regular firmware updates, strong passwords, and awareness of potential vulnerabilities are essential steps in protecting against such compromises.
The SocksEscort case also highlights the evolving nature of cybercrime, where seemingly legitimate services are repurposed for malicious ends. By offering what appeared to be a legitimate proxy service, SocksEscort was able to operate in plain sight while facilitating some of the most serious cybercrimes affecting individuals and organizations worldwide.
Comments
Please log in or register to join the discussion