Key Findings

* International law enforcement dismantled SocksEscort proxy network

* Network compromised approximately 369,000 IP addresses worldwide

* Cybercriminals used service to route fraudulent activities and hide identity

* $3.5 million in cryptocurrency seized

* Infected over 8,000 home and small business routers

* Caused millions in financial losses across multiple victims

Background

SocksEscort operated as a malicious proxy service from 2009, systematically infecting residential routers and internet-connected devices across 163 countries. The network functioned by deploying backdoors on home and small business routers, allowing cybercriminals to route internet traffic through compromised devices and mask their true location and identity.

Infrastructure and Technical Details

The proxy network used AVRecon malware to exploit vulnerabilities in residential modems from an unnamed vendor. By February 2026, the service advertised approximately 8,000 actively infected routers, with about 2,500 located in the United States. The network maintained a consistent victim generation rate, averaging 20,000 weekly targets and peaking at over 15,000 daily victims in January 2025.

Fraud Schemes

Cybercriminals leveraged SocksEscort to conduct various fraudulent activities, including:

* Bank account takeovers

* Cryptocurrency theft

* Fraudulent unemployment insurance claims

* Bypassing fraud detection systems

Notable incidents included:

* $1 million stolen from a New York cryptocurrency exchange customer

* $700,000 defrauded from a Pennsylvania manufacturing company

* $100,000 in unauthorized transactions on US service members' credit cards

Law Enforcement Response

A coordinated international operation, dubbed Operation Lightning, involved multiple agencies:

* Europol

* FBI

* US Department of Justice

* Cybercrime authorities from Austria, Bulgaria, France, Germany, Hungary, Netherlands, and Romania

The operation resulted in:

* Seizure of 34 domains

* Shutdown of 23 servers

* Freezing of $3.5 million in cryptocurrency

* Disruption of the proxy network's core infrastructure

Implications

Experts highlight the operation as a significant blow to cybercriminal networks, demonstrating the vulnerability of poorly secured home networking devices and the growing sophistication of international law enforcement collaboration in combating digital crime.

Sources

• https://hackread.com/feds-dismantle-socksescort-proxy-network-fraud/

• https://cyberscoop.com/socksescort-proxy-network-botnet-takedown/

• https://www.theregister.com/2026/03/12/socksescort_fraud_proxy_taken_down_fbi

• https://go.theregister.com/feed/www.theregister.com/2026/03/12/socksescort_fraud_proxy_taken_down_fbi