A coordinated international law enforcement operation has dismantled a large scale criminal proxy network known as SocksEscort botnet, which hijacked thousands of residential routers around the world and used them for cybercrime activities.
According to the U.S. Department of Justice (DoJ), the proxy service infected internet routers used by homes and small businesses with malicious software. Once compromised, these routers were used to route internet traffic for paying customers without the owners’ knowledge.
Massive Global Proxy Network
The proxy platform, hosted through the domain socksescort[.]com, reportedly offered access to approximately 369,000 IP addresses across 163 countries since mid 2020.
By early 2026, investigators discovered that nearly 8,000 routers remained infected, including around 2,500 devices located in the United States.
The service marketed itself as providing:
- Static residential IP addresses
- Unlimited bandwidth
- Ability to bypass spam and fraud detection systems
Customers could purchase packages such as:
- 30 proxy connections for $15 per month
- 5,000 proxy connections for $200 per month
These proxies allowed criminals to disguise their identity and conduct malicious operations while appearing to originate from legitimate residential networks.
Fraud Cases Linked to the Proxy Network
Authorities revealed that multiple financial crimes were conducted using the SocksEscort infrastructure.
Notable incidents include:
- A cryptocurrency exchange user in New York who lost $1 million in digital assets
- A manufacturing company in Pennsylvania that suffered $700,000 in fraud losses
- Current and former U.S. service members whose MILITARY STAR card accounts lost over $100,000
The proxy network enabled attackers to hide their real location and identity, making it difficult for investigators to trace fraudulent activity.
Operation Lightning Disrupts the Network
The takedown effort, known as Operation Lightning cybercrime operation, involved collaboration between multiple international agencies.
Authorities from several countries participated, including:
- Austria
- Bulgaria
- France
- Germany
- Hungary
- Netherlands
- Romania
- United States
The operation resulted in:
- Shutdown of 34 domains
- Seizure of 23 servers across seven countries
- Freezing of $3.5 million in cryptocurrency
The initiative was coordinated with support from Europol.
AVrecon Malware Behind the Botnet
The proxy network relied on malware known as AVrecon malware, previously documented by Lumen Black Lotus Labs in 2023.
The malware is believed to have been active since at least 2021 and was capable of infecting over 1,200 models of routers and networking devices from manufacturers including:
- Cisco
- D-Link
- Hikvision
- MikroTik
- NETGEAR
- TP-Link
- Zyxel
Once a router was compromised, AVrecon could:
- Turn the device into a residential proxy node
- Establish remote shell access for attackers
- Download and execute additional malware payloads
Persistent Router Infections
To maintain long term control, attackers installed custom firmware containing AVrecon malware through the router’s update mechanism.
This modified firmware ensured that the malware executed automatically every time the device restarted. In many cases, it also disabled normal firmware updates, making it extremely difficult for users to remove the infection.
According to investigators, the botnet typically maintained around 20,000 infected devices active each week, communicating with approximately 15 command and control servers.
(The story was updated after publication to include a response from NETGEAR.)
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
