Europol Dismantles SocksEscort — A Global Botnet That Enslaved 369,000 Routers Across 163 Countries for Fraud
Operation Lightning takes down the SocksEscort proxy service, seizing 34 domains and freezing $3.5M in crypto after the botnet enabled millions in fraud through hijacked home routers.
Operation Lightning Strikes
An international law enforcement operation led by Europol has dismantled SocksEscort, a criminal proxy service that hijacked hundreds of thousands of home and small business routers worldwide to facilitate fraud, ransomware distribution, and other cybercrimes. The takedown, announced on March 12, involved authorities from the United States, Austria, Bulgaria, France, Germany, Hungary, the Netherlands, and Romania.
SocksEscort had been operating since 2020, offering cybercriminals the ability to route their internet traffic through the IP addresses of compromised residential routers — making their activities appear to originate from legitimate home internet connections. At its peak, the service listed approximately 369,000 available IP addresses across 163 countries, with nearly 8,000 actively infected routers as of February 2026.
How the Botnet Worked
The service relied on a malware strain called AVRecon, which specifically targeted consumer-grade routers and IoT devices. The malware affected approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, Mikrotik, Netgear, TP-Link, and Zyxel — essentially the most common brands found in homes and small offices worldwide.
Once infected, routers became unwitting participants in a proxy network. Criminals who purchased access through SocksEscort could route their traffic through these residential IP addresses, making fraudulent transactions, account takeovers, and other crimes appear to come from ordinary households. The approach is devastatingly effective at bypassing fraud detection systems that flag suspicious IP addresses.
The Financial Toll
SocksEscort's payment platform received approximately $5.8 million from its criminal customers. The fraud facilitated through the network was far larger — individual cases included a cryptocurrency customer defrauded of $1 million, a manufacturing business that lost $700,000, and U.S. service members defrauded of $100,000. The operation resulted in the seizure of 34 domains, 23 servers across seven countries, and $3.5 million in frozen cryptocurrency.
For consumers, the takedown is a reminder that router security matters. Keeping firmware updated, changing default passwords, and disabling remote management interfaces remain the most effective defenses against botnet recruitment.
Sources: Europol (March 12, 2026), TechCrunch (March 12, 2026), The Hacker News (March 12, 2026), CyberScoop (March 13, 2026)