A court-sanctioned international law enforcement operation has dismantled a criminal agency service called SocksEscort that botnetized thousands of home routers around the world to commit large-scale fraud.
“SocksEscort infected homes and small businesses’ internet routers with malware,” the U.S. Department of Justice (DoJ) said in a statement. “The malware allowed SocksEscort to direct internet traffic through infected routers. SocksEscort sold this access to customers.”
SocksEscort[.]com”) has offered to sell access to approximately 369,000 different IP addresses in 163 countries since the summer of 2020, and is said to have listed approximately 8,000 infected routers as of February 2026. 2,500 of these were in the United States.
As of December 2025, SocksEscort’s website claimed to offer “static residential IPs with unlimited bandwidth” and the ability to bypass spam blocklists. It advertises over 35,900 proxies in 102 countries and costs $15 per month for a set of 30 proxies. The 5,000 proxy package cost $200 per month.
The ultimate goal of services like SocksEscort is to allow paying customers to tunnel their internet traffic through compromised devices without the victim’s knowledge, providing a way to mask their true IP addresses and location, making malicious traffic difficult to distinguish from legitimate activity.
Among the victims who were defrauded as part of a scheme carried out using SocksEscort was a crypto exchange customer in New York who was defrauded of $1 million worth of cryptocurrencies. A Pennsylvania manufacturing company was defrauded out of $700,000. Current and former U.S. military personnel were scammed out of $100,000 with MILITARY STAR cards.
In a coordinated announcement, Europol said the effort, code-named “Operation Lightning,” involved authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania and the United States. The exercise resulted in the taking down of 34 domains and 23 servers in seven countries. A total of $3.5 million in virtual currency was frozen.
“These devices, primarily residential routers, were exploited to facilitate a variety of criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM),” Europol said. “Compromised devices were infected through a vulnerability in a particular brand of home modem.”
“To access the proxy service, customers had to use a payment platform that allowed them to purchase the service anonymously using cryptocurrency. It is estimated that this payment platform received more than €5 million from customers of the proxy service.”
SocksEscort utilizes malware known as AVrecon, details of which were publicly documented by Lumen Black Lotus Labs in July 2023. However, it is assessed to have been active since at least May 2021. The proxy service is estimated to have compromised 280,000 individual IP addresses since early 2025.
In addition to turning an infected device into a SocksEscort residential proxy, AVrecon has the ability to act as a loader by establishing a remote shell to an attacker-controlled server and downloading and executing arbitrary payloads. The malware targets approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, Mikrotik, Netgear, TP-Link, and Zyxel.
“The majority of devices observed to be infected with AVrecon malware are small office/home office (SOHO) routers infected using critical vulnerabilities such as remote code execution (RCE) and command injection,” the US Federal Bureau of Investigation said in an alert. “The AVrecon malware is written in C and primarily targets MIPS and ARM devices.”
To achieve persistence, threat actors have been observed using a device’s built-in update mechanism to flash a custom firmware image containing a hard-coded copy of AVrecon to run when the device boots. The modified firmware also disables the device’s update and flash capabilities, making the device permanently infected.
“This botnet posed a significant threat because it was sold exclusively to criminals and consisted solely of compromised edge devices,” the Black Lotus Labs team said. “For the past several years, SocksEscort has maintained an average of approximately 20,000 victims per week, with communications occurring via an average of 15 command and control nodes (C2).”
Source link
