International law enforcement agencies have dismantled SocksEscort, a residential proxy service responsible for tens of millions in fraud, seizing 23 servers across seven countries and freezing $3.5 million in cryptocurrency.
International law enforcement agencies have dismantled SocksEscort, a residential proxy service that enabled cybercriminals to carry out massive fraud schemes by compromising hundreds of thousands of routers worldwide. The operation, dubbed Operation Lightning, resulted in the seizure of 34 domains and 23 servers across seven countries, with authorities also freezing approximately $3.5 million in cryptocurrency linked to the criminal network.
According to FBI Deputy Assistant Director Jason Bilnoski, SocksEscort is responsible for "tens of millions of dollars in losses" through various criminal activities including ransomware attacks, ad fraud, account takeovers, identity theft, business email compromises, romance scams, and password spraying.
The scale of the operation was substantial. SocksEscort infected home and small business internet routers with a botnet called AVRecon, which allowed criminals to remotely control infected devices and direct internet traffic through compromised routers. Since summer 2020, the service has sold access to approximately 369,000 different IP addresses, with about 8,000 infected routers still active as of last month.
Among the victims were a New York cryptocurrency exchange customer defrauded of $1 million worth of cryptocurrency, a Pennsylvania manufacturing business that lost $700,000, and current and former US service members with Military Star cards who were defrauded out of $100,000.
Lumen's Black Lotus Labs, which investigated the botnet in 2023, described AVRecon as "one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history." The proliferation of illicit residential proxies like SocksEscort represents a significant challenge for both government and private-sector partners.
The takedown involved cooperation between the FBI and law enforcement agencies from Austria, France, and the Netherlands, with private-sector organizations including Lumen's Black Lotus Labs and the Shadowserver Foundation participating in the operation.
Bilnoski emphasized that the seized servers will lead to additional evidence for pursuing further criminal activity, noting that SocksEscort had approximately 124,000 users. The investigation continues to target downstream criminals who utilized the proxy network.
This operation comes as the FBI recently launched Operation Winter Shield, which includes 10 key defensive measures organizations can take to improve their security posture. One critical recommendation is to track and retire end-of-life technology on a defined schedule, which is especially important for mitigating the risk of outdated routers being turned into residential proxy networks.
The SocksEscort case highlights the growing threat of residential proxy services in the cybercrime ecosystem, where compromised home and small business devices are weaponized for large-scale fraud and digital crimes while masking the true location of criminal actors.
Comments
Please log in or register to join the discussion