Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs in 163 Countries
A court-mandated international law enforcement operation dismantled the so-called criminal proxy service SocksEscort which enslaved thousands of residential routers around the world in a botnet by committing massive fraud.
“SocksEscort infected home and small business Internet routers with malware,” the US Department of Justice (DoJ) said. “The malware allowed SocksEscort to route Internet traffic through infected routers. SocksEscort sold this access to its customers.”
SocksEscort (“socksescort[.]com”) is said to have offered for sale access to about 369,000 different IP addresses in 163 countries since the summer of 2020, with the service counting about 8,000 routers infected with the virus as of February 2026. Of these, 2,500 are located in the US.
As of December 2025, the SocksEscort website said it offers “fixed residential IPs with unlimited bandwidth” and that it can bypass spam lists. It advertises more than 35,900 proxies from 102 countries, with a set of 30 proxies costing $15 per month. A package that includes 5,000 proxies costs $200 per month.
The ultimate goal of services like SocksEscort is to enable paying customers to siphon Internet traffic through compromised devices without the victim’s knowledge, giving them a way to network and make it difficult to distinguish malicious traffic from legitimate activity by hiding their real IP addresses and locations.
Some of the victims who were defrauded as part of the schemes carried out using SocksEscort included a cryptocurrency exchange customer who lives in New York and was defrauded of $1 million in cryptocurrency; a manufacturing business in Pennsylvania that was defrauded of $700,000; and current and former US service members with MILITARY STAR cards defrauded of $100,000.
In a joint announcement, Europol said the effort, codenamed Operation Lightning, involved authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the US The disruption operation led to the downing of 34 domains and 23 servers located in seven countries. A total of $3.5 million in cryptocurrency has been set.
“These machines, especially residential routes, were exploited to facilitate various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM),” Europol said. “Damaged machines are infected by a vulnerability in residential modems of some kind.”
“In order to gain access to the proxy service, customers had to use a payment platform that enabled them to purchase the service anonymously using cryptocurrency. It is estimated that this payment platform earned more than EUR 5 million from the proxy service’s customers.”
SocksEscort is powered by a malware known as AVrecon, the details of which were publicly documented by Lumen Black Lotus Labs in July 2023. However, it has been tested to be active since at least May 2021. The proxy service is estimated to have been the victim of 280,000 different IP addresses since the beginning of 2025.
In addition to turning an infected device into a SocksEscort proxy, AVrecon is equipped to launch a remote shell on an attacker-controlled server and act as a loader by downloading and executing malicious payloads. The malware targeted approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, Mikrotik, Netgear, TP-Link, and Zyxel.
“Most of the devices targeted by the AVrecon malware are small office/home-office (SOHO) routers infected using key vulnerabilities such as Remote Code Execution (RCE) and command injection,” the US Federal Bureau of Investigation said in a warning. “The AVrecon malware is written in C and mainly targets MIPS and ARM devices.”
To achieve persistence, malicious actors have been identified using the device’s built-in update mechanism to flash a custom firmware image containing a copy of AVrecon, which is hard-coded to boot the device. The modified firmware also disables device updates and flashing features, thus causing the devices to be permanently infected.
“This botnet became a major threat, as it was only sold to criminals and was only built with vulnerable hardware,” said the Black Lotus Labs team. “Over the past few years, SocksEscort has maintained an average size of about 20,000 different victims every week, with communications being relayed through an average of 15 command and control nodes (C2s).”
