A court-authorized worldwide regulation enforcement operation has dismantled a prison proxy service named SocksEscort that enslaved hundreds of residential routers worldwide right into a botnet for committing large-scale fraud.
“SocksEscort contaminated house and small enterprise web routers with malware,” the U.S. Division of Justice (DoJ) mentioned. “The malware allowed SocksEscort to direct web site visitors via the contaminated routers. SocksEscort offered this entry to its prospects.”
SocksEscort (“socksescort[.]com”) is alleged to have provided to promote entry to about 369,000 totally different IP addresses in 163 international locations because the summer time of 2020, with the service itemizing almost 8,000 contaminated routers as of February 2026. Of those, 2,500 had been situated within the U.S.
As of December 2025, SocksEscort’s web site claimed to supply “static residential IPs with limitless bandwidth” and that they’ll bypass spam blocklists. It marketed over 35,900 proxies from 102 international locations, with a set of 30 proxies costing $15 per 30 days. A package deal consisting of 5,000 proxies value $200 a month.
The top objective of companies like SocksEscort is to allow paying prospects to tunnel web site visitors via compromised gadgets with out the sufferer’s information, providing them a solution to mix in and make it tougher to distinguish malicious site visitors from official exercise by concealing their true IP addresses and areas.
A few of the victims who had been defrauded as a part of schemes carried out utilizing SocksEscort included a buyer of a cryptocurrency alternate who lived in New York and was defrauded of $1 million price of cryptocurrency; a producing enterprise in Pennsylvania that was defrauded of $700,000; and present and former U.S. service members with MILITARY STAR playing cards who had been defrauded out of $100,000.
In a coordinated announcement, Europol mentioned the hassle, codenamed Operation Lightning, concerned authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the U.S. The disruption train has resulted within the takedown of 34 domains and 23 servers situated in seven international locations. A complete of $3.5 million in cryptocurrency has been frozen.
“These gadgets, primarily residential routers, had been exploited to facilitate numerous prison actions, together with ransomware, DDoS assaults, and the distribution of kid sexual abuse materials (CSAM),” Europol mentioned. “The compromised gadgets had been contaminated via a vulnerability within the residential modems of a selected model.”
“To get entry to the proxy service, prospects had to make use of a fee platform that made it doable to anonymously buy the service utilizing cryptocurrency. It’s estimated that this fee platform obtained greater than EUR 5 million from proxy service prospects.”
SocksEscort was powered by a malware often called AVrecon, particulars of which had been publicly documented by Lumen Black Lotus Labs in July 2023. Nonetheless, it is assessed to be energetic since at the very least Might 2021. The proxy service is estimated to have victimized 280,000 distinct IP addresses starting in early 2025.
Along with turning an contaminated gadget right into a SocksEscort residential proxy, AVrecon is supplied to ascertain a distant shell to an attacker-controlled server and act as a loader by downloading and executing arbitrary payloads. The malware targets roughly 1,200 gadget fashions manufactured by Cisco, D-Hyperlink, Hikvision, Mikrotik, Netgear, TP-Hyperlink, and Zyxel.
“The overwhelming majority of noticed gadgets contaminated with AVrecon malware are small-office/home-office (SOHO) routers contaminated utilizing crucial vulnerabilities resembling Distant Code Execution (RCE) and command injection,” the U.S. Federal Bureau of Investigation mentioned in an alert. “AVrecon malware is written within the C language and primarily targets MIPS and ARM gadgets.”
To realize persistence, the risk actors have been noticed utilizing the gadget’s built-in replace mechanism to flash a customized firmware picture containing a duplicate of AVrecon, which is hard-coded to execute it on gadget startup. The modified firmware additionally disables the gadget’s replace and flashing options, thereby inflicting the gadgets to be completely contaminated.
“This botnet posed a major risk, because it was marketed solely to criminals and composed solely of compromised edge gadgets,” the Black Lotus Labs staff mentioned. “Over the previous a number of years, SocksEscort maintained a mean dimension of roughly 20,000 distinct victims weekly, with communications routed via a mean of 15 command-and-control nodes (C2s).”
