Authorities have dismantled SocksEscort, a criminal proxy service that leveraged hundreds of thousands of infected home and small business routers worldwide to facilitate large-scale cybercrime. The operation, authorized by courts and coordinated across multiple countries, targeted a botnet spanning 369,000 IP addresses in 163 nations.
According to the U.S. Department of Justice (DoJ), SocksEscort installed malware on residential routers, allowing attackers to route internet traffic through compromised devices. The service sold access to paying customers, offering packages from 30 proxies for $15 per month to 5,000 proxies for $200. At its peak, approximately 8,000 devices were active on the network, with 2,500 located in the U.S. alone.
The proxy network enabled cybercriminals to obscure their real IP addresses while committing fraud, ransomware campaigns, distributed denial-of-service (DDoS) attacks, and other illegal activities. Victims included individuals, businesses, and even U.S. service members, who suffered losses ranging from $100,000 to $1 million.
The European law enforcement agency Europol said the disruption, codenamed Operation Lightning, involved Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the U.S. Authorities seized 34 domains, 23 servers across seven countries, and froze $3.5 million in cryptocurrency.
SocksEscort malware, known as AVrecon, had been active since at least May 2021 and was documented publicly in 2023 by Lumen Black Lotus Labs. The malware targeted over 1,200 router models from vendors including Cisco, D-Link, Hikvision, Mikrotik, NETGEAR, TP-Link, and Zyxel. AVrecon could convert devices into proxies, establish remote shells, download arbitrary payloads, and persist via custom firmware that disabled device updates.
NETGEAR confirmed some of its devices were targeted in the early stages of the botnet in 2016 but emphasized that remediation steps were implemented promptly and no further exploitation has been observed since.
The FBI noted that most infections were on small-office/home-office (SOHO) routers using critical vulnerabilities such as remote code execution (RCE) and command injection. AVrecon malware, primarily written in C, targeted MIPS and ARM architectures and maintained persistence by flashing malicious firmware at startup.
Black Lotus Labs highlighted that SocksEscort was marketed exclusively to criminals, maintaining around 20,000 active victims weekly, with traffic routed through an average of 15 command-and-control nodes. The disruption of SocksEscort marks a significant step in combating global proxy-based cybercrime and securing consumer network devices from exploitation.
