International Takedown Disrupts SocksEscort Proxy Botnet Using 369,000 IPs

Law enforcement agencies in the United States and Europe announced a coordinated disruption of SocksEscort, a criminal proxy service that turned thousands of home and small-business routers into a global botnet, the U.S. Department of Justice said.

“SocksEscort infected home and small business internet routers with malware,” the Department of Justice said. “The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers.”

The DOJ said SocksEscort advertised access to roughly 369,000 distinct IP addresses across 163 countries since mid-2020, and that the service listed nearly 8,000 infected routers for sale as of February 2026, including about 2,500 in the United States. Europol called the multinational operation Operation Lightning and said the takedown seized 34 domains and removed 23 servers located in seven countries. Europol added that about 3.5 million dollars in cryptocurrency was frozen during the disruption.

Authorities described SocksEscort as a paid service that let criminals route traffic through compromised residential devices so their activity would blend with legitimate users. Europol warned that proxy services like SocksEscort “provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection,” a comment attributed to Europol executive director Catherine De Bolle.

Security researchers at Lumen Black Lotus Labs documented the malware family behind SocksEscort, known as AVrecon, in July 2023. The FBI published a flash alert saying AVrecon targets small-office/home-office routers using critical vulnerabilities such as remote code execution and command injection. The FBI said the malware is written in C, primarily targets MIPS and ARM devices, and has been observed against roughly 1,200 device models from vendors including Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel.

Both Black Lotus Labs and the FBI outlined how AVrecon not only converts a router into a proxy but can also provide a remote shell to attacker servers and act as a loader for additional malicious payloads. The FBI noted operators have sometimes achieved persistence by flashing custom firmware that runs AVrecon on startup and disables the device’s update functions, effectively locking victims out of repairs.

Black Lotus Labs described the platform’s scale, saying “this botnet posed a significant threat, as it was marketed exclusively to criminals and composed solely of compromised edge devices.” The research team added that SocksEscort maintained an average of about 20,000 distinct infected victims weekly with communications routed through roughly 15 command-and-control nodes.

Court filings and DOJ statements tied the SocksEscort service to a range of frauds. The DOJ said victims included a New York cryptocurrency customer defrauded of about one million dollars in crypto, a Pennsylvania manufacturer hit for roughly 700,000 dollars, and current and former U.S. service members who lost about 100,000 dollars on MILITARY STAR cards. The DOJ also alleged the operators netted more than 5.7 million dollars from the service, and Europol estimated the payment platform used to buy access received over five million euros.

Investigators in Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the United States participated in Operation Lightning, Europol said. The DOJ and Europol credited private-sector partners, including Lumen Black Lotus Labs and the Shadowserver Foundation, for help identifying infrastructure and victims.

The FBI issued guidance to users and network operators: apply vendor firmware updates, change default credentials, disable remote management if not needed, and monitor network devices for unusual traffic patterns. The agencies said the disruption aims to limit criminal abuse and give victims an opening to recover impacted devices.

For practical steps to secure home and small-business networks, see this guide on protecting yourself from cyber attacks.

If you suspect a device has been compromised, follow a detailed incident response step-by-step guide to help contain and remediate the threat.

#botnet #IoTsecurity #cybercrime #lawenforcement