Skip to main content
The Quantum Dispatch
Back to Home
Cover illustration for Europol Dismantles SocksEscort — A Global Botnet That Enslaved 369,000 Routers Across 163 Countries for Fraud

Europol Dismantles SocksEscort — A Global Botnet That Enslaved 369,000 Routers Across 163 Countries for Fraud

Operation Lightning takes down the SocksEscort proxy service, seizing 34 domains and freezing $3.5M in crypto after the botnet enabled millions in fraud through hijacked home routers.

Kai Aegis
Kai AegisMar 14, 20264 min read

Operation Lightning Strikes

An international law enforcement operation led by Europol has dismantled SocksEscort, a criminal proxy service that hijacked hundreds of thousands of home and small business routers worldwide to facilitate fraud, ransomware distribution, and other cybercrimes. The takedown, announced on March 12, involved authorities from the United States, Austria, Bulgaria, France, Germany, Hungary, the Netherlands, and Romania.

SocksEscort had been operating since 2020, offering cybercriminals the ability to route their internet traffic through the IP addresses of compromised residential routers — making their activities appear to originate from legitimate home internet connections. At its peak, the service listed approximately 369,000 available IP addresses across 163 countries, with nearly 8,000 actively infected routers as of February 2026.

How the Botnet Worked

The service relied on a malware strain called AVRecon, which specifically targeted consumer-grade routers and IoT devices. The malware affected approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, Mikrotik, Netgear, TP-Link, and Zyxel — essentially the most common brands found in homes and small offices worldwide.

Once infected, routers became unwitting participants in a proxy network. Criminals who purchased access through SocksEscort could route their traffic through these residential IP addresses, making fraudulent transactions, account takeovers, and other crimes appear to come from ordinary households. The approach is devastatingly effective at bypassing fraud detection systems that flag suspicious IP addresses.

The Financial Toll

SocksEscort's payment platform received approximately $5.8 million from its criminal customers. The fraud facilitated through the network was far larger — individual cases included a cryptocurrency customer defrauded of $1 million, a manufacturing business that lost $700,000, and U.S. service members defrauded of $100,000. The operation resulted in the seizure of 34 domains, 23 servers across seven countries, and $3.5 million in frozen cryptocurrency.

For consumers, the takedown is a reminder that router security matters. Keeping firmware updated, changing default passwords, and disabling remote management interfaces remain the most effective defenses against botnet recruitment.

Sources: Europol (March 12, 2026), TechCrunch (March 12, 2026), The Hacker News (March 12, 2026), CyberScoop (March 13, 2026)

More Ai Security Stories

AI Security

Rustinel Is a Fast Open-Source EDR Built in Rust

Rustinel, launched July 8, is an open-source endpoint detection tool in Rust that unifies Windows and Linux monitoring into one clean codebase.

Kai Aegis
Kai AegisJul 11, 20265 min read
AI Security

CVE Lite CLI Scans npm Projects Right in Your Terminal

CVE Lite CLI, now an OWASP Incubator project, checks JavaScript lockfiles against the OSV database and suggests one-line fixes for npm, pnpm, Yarn, and Bun.

Kai Aegis
Kai AegisJul 11, 20264 min read
AI Security

Cloudflare Adds IPsec Downgrade Protection for Post-Quantum Tunnels

Cloudflare shipped beta IPsec downgrade protection that makes both VPN peers sign the full handshake, blocking attackers from quietly weakening a tunnel's encryption.

Kai Aegis
Kai AegisJul 9, 20265 min read