Authorities takedown global proxy network SocksEscort

Authorities from multiple countries have dismantled SocksEscort, a criminal residential proxy network that compromised routers and IoT devices in 163 countries and claimed about 369,000 victims since 2020. The network, which enabled large-scale fraud, reportedly earned approximately $5.8 million from its cybercriminal customers.

The coordinated operation, called Operation Lightning, involved Europol, the U.S. Department of Justice (DoJ), Lumen’s Black Lotus Labs, and the Shadowserver Foundation, alongside law enforcement from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, and Romania. The takedown resulted in the seizure of 34 domains, 23 servers in seven countries, and the freezing of $3.5 million in cryptocurrency linked to the botnet.

SocksEscort’s Modus Operandi:

• Exploited a vulnerability in residential modems from an unnamed vendor to infect devices.
• Employed AVRecon malware to turn infected routers into proxy nodes for criminals.
• Offered anonymized IP access for cybercrime, including fraud, spam, and other illicit activity.
• Maintained high activity levels, averaging 20,000 victims weekly since early 2024, with peak activity in January 2025 affecting over 15,000 victims daily.
• Over half of its victims were based in the U.S. and U.K.

Experts noted that SocksEscort exclusively marketed to cybercriminals. Gaining access to the backend infrastructure provides law enforcement with intelligence on other threat actors beyond the botnet operators, potentially disrupting broader criminal networks.

Key Takeaways:

• Proxy services like SocksEscort provide anonymity for cybercriminal activity, making them highly valuable for illicit operations.
• The botnet’s reach demonstrates the persistent vulnerability of residential and small office routers to malware exploitation.
• International collaboration is critical in tackling transnational cybercrime and dismantling complex botnet infrastructure.