INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Law Enforcement Disrupts SocksEscort Proxy Network

| 2026-03-13 10:00 CRITICAL LOW
JSON
Executive Summary AI-generated
The SocksEscort proxy network, a malicious cyber operation, has been dismantled by international law enforcement partners. The US Department of Justice (DoJ) had previously stated that the application listed approximately 8000 infected routers in the country and offered access to its customers, who were also affected by the malware-infected routers enabling cybercriminals to conceal their true IP addresses and locations. Law enforcement agencies from Austria, France, and the Netherlands worked together to take down and seize domains and servers across seven countries. The operation was part of Operation Lightning, a global effort to dismantle malicious proxy services like SocksEscort.
Technical Mitigations AI-generated
* Regularly update router firmware to prevent exploitation of vulnerabilities and ensure the latest security patches are installed. * Use a reputable antivirus software and keep it up-to-date to detect and remove malware, including SocksEscort's botnet. * Implement a firewall on your network to block unauthorized access and limit potential damage from compromised devices. * Consider using a virtual private network (VPN) when accessing public Wi-Fi networks or connecting to unknown devices to encrypt internet traffic and protect against man-in-the-middle attacks.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation LightningOperation LightningOperation Winter ShieldOperation Winter Shield
Target & Sectors
BENELUX BENELUX NORTH_AMERICA NORTH_AMERICA DACH DACH governmentgovernment manufacturingmanufacturing
Incident Timeline
the summer of 2020
Threat actors used the SocksEscort proxy network to target law enforcement agencies in the United States.
source_region United States
Since the summer of 2020, SocksEscort has sold access to about 369,000 different IP addresses, according to the US Justice Department.
organisation IP
Since the summer of 2020, SocksEscort has sold access to about 369,000 different IP addresses, according to the US Justice Department.
organisation the US Justice Department
Since the summer of 2020, SocksEscort has sold access to about 369,000 different IP addresses, according to the US Justice Department.
infrastructure 369,000 different IP addresses
Since the summer of 2020, SocksEscort has sold access to about 369,000 different IP addresses, according to the US Justice Department.
2026-02-10
Threat actors used a proxy service to target 8,000 infected routers in the United States.
target_region United States
As of last month, the criminal network listed access to about 8,000 infected routers to its customers; 2,500 of those were in the US.
infrastructure 8000 infected routers
As of last month, the criminal network listed access to about 8,000 infected routers to its customers; 2,500 of those were in the US.
victims 2,500 customers
As of last month, the criminal network listed access to about 8,000 infected routers to its customers; 2,500 of those were in the US.
attribution FBI
" To combat ongoing cyberthreats such as proxy services, the FBI last month launched Operation Winter Shield with 10 key defensive measures that organizations can take to improve their security posture.
campaign Operation Winter Shield
" To combat ongoing cyberthreats such as proxy services, the FBI last month launched Operation Winter Shield with 10 key defensive measures that organizations can take to improve their security posture.
general_metric 10 key defensive measures
" To combat ongoing cyberthreats such as proxy services, the FBI last month launched Operation Winter Shield with 10 key defensive measures that organizations can take to improve their security posture.
February 2026
Law enforcement agencies dismantled the SocksEscort proxy network.
target_region United States
As of February 2026, the SocksEscort application listed approximately 8000 infected routers to which its customers could buy access, of those, 2500 were in the US, a US Department of Justice (DoJ) statement said.
organisation SocksEscort
As of February 2026, the SocksEscort application listed approximately 8000 infected routers to which its customers could buy access, of those, 2500 were in the US, a US Department of Justice (DoJ) statement said.
organisation US Department of Justice
As of February 2026, the SocksEscort application listed approximately 8000 infected routers to which its customers could buy access, of those, 2500 were in the US, a US Department of Justice (DoJ) statement said.
infrastructure 8000 infected routers
As of February 2026, the SocksEscort application listed approximately 8000 infected routers to which its customers could buy access, of those, 2500 were in the US, a US Department of Justice (DoJ) statement said.
general_metric 2500 access
As of February 2026, the SocksEscort application listed approximately 8000 infected routers to which its customers could buy access, of those, 2500 were in the US, a US Department of Justice (DoJ) statement said.
organisation IP
The malware-infected routers enabled cybercriminals to conceal their true originating IP addresses and locations, which furthered frauds like takeovers of US banks and cryptocurrency accounts and fraudulent unemployment insurance claims.
organisation Europol
On the action day, Europol hosted a Virtual Command Post in its premises in The Hague, the Netherlands, to facilitate coordination between all partners.
organisation Virtual Command Post
On the action day, Europol hosted a Virtual Command Post in its premises in The Hague, the Netherlands, to facilitate coordination between all partners.
organisation CSAM
SocksEscort also enabled other criminal activities, including ransomware , distributed denial-of-service (DDoS) attacks and the distribution of child sexual abuse material (CSAM).
organisation The European Union Agency
The European Union Agency for Criminal Justice, Eurojust, was also involved.
organisation Criminal Justice
The European Union Agency for Criminal Justice, Eurojust, was also involved.
organisation Eurojust
The European Union Agency for Criminal Justice, Eurojust, was also involved.
organisation Lumen Technologie’s Black Lotus Labs
Lumen Technologie’s Black Lotus Labs and the Shadowserver Foundation both provided assistance during the investigation and operation.
organisation the Shadowserver Foundation
Lumen Technologie’s Black Lotus Labs and the Shadowserver Foundation both provided assistance during the investigation and operation.
financial $6 Stolen / Extorted Funds
It is estimated that this payment platform received almost $6m from proxy service customers.
March 11
Law enforcement agencies seized 34 domains and 23 servers in seven countries.
infrastructure 34 domains
During the action day on March 11, law enforcement agencies successfully took down and seized 34 domains as well as 23 servers located in seven countries.
infrastructure 23 servers
During the action day on March 11, law enforcement agencies successfully took down and seized 34 domains as well as 23 servers located in seven countries.
2026-03-13
The FBI and law enforcement agencies seized 34 domains and 23 servers across seven countries as part of Operation Lightning, dismantling the SocksEscort proxy network blamed for compromising over 360,000 routers and IoT devices in163 countries since 2020.
financial $1 Stolen / Extorted Funds
Some of the victims include a customer of a cryptocurrency exchange who lived in New York and was defrauded of $1 million worth of cryptocurrency, a Pennsylvania manufacturing business defrauded of $700,000, and current and former US service members with Military Star cards who were defrauded out of $100,000.
organisation SocksEscort
Operation Lightning takes down SocksEscort proxy network blamed for tens of millions in fraud.
financial $3.5 US
The US also froze about $3.5 million in cryptocurrency linked to SocksEscort.
infrastructure 34 domains
On Wednesday, the FBI and law enforcement agencies from Austria, France, and the Netherlands seized 34 domains and 23 servers across seven countries as part of Operation Lightning.
infrastructure 23 servers
On Wednesday, the FBI and law enforcement agencies from Austria, France, and the Netherlands seized 34 domains and 23 servers across seven countries as part of Operation Lightning.
organisation IoT
The proxy service is alleged to have compromised over 360,000 routers and internet of things (IoT) devices in163 countries since 2020 and offered ‘SocksEscort’ customers over 35,000 proxies in recent years.
infrastructure 360,000 routers
The proxy service is alleged to have compromised over 360,000 routers and internet of things (IoT) devices in163 countries since 2020 and offered ‘SocksEscort’ customers over 35,000 proxies in recent years.
organisation the Shadowserver Foundation
Private-sector organizations - Lumen's Black Lotus Labs and the Shadowserver Foundation - participated in the takedown.
organisation Black Lotus Labs
Private-sector organizations - Lumen's Black Lotus Labs and the Shadowserver Foundation - participated in the takedown.
organisation AVRecon
SocksEscort infected home and small business internet routers with a botnet called AVRecon.
organisation SOHO
Lumen's Black Lotus Labs in 2023 called AVRecon "one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history.
victims 124,000 users
"We know the customer base of SocksEscort had approximately 124,000 users.
Tactical Metrics
Metrics
infrastructure
8,000
Infected Routers
As of February 2026, the SocksEscort application listed approximately 8000 infected routers to which its customers could buy access, of those, 2500 were in the US, a US Department of Justice (DoJ) statement said.
As of last month, the criminal network listed access to about 8,000 infected routers to its customers; 2,500 of those were in the US.
Metrics
infrastructure
360,000
Routers
The proxy service is alleged to have compromised over 360,000 routers and internet of things (IoT) devices in163 countries since 2020 and offered ‘SocksEscort’ customers over 35,000 proxies in recent years.
Metrics
infrastructure
34
Domains
During the action day on March 11, law enforcement agencies successfully took down and seized 34 domains as well as 23 servers located in seven countries.
On Wednesday, the FBI and law enforcement agencies from Austria, France, and the Netherlands seized 34 domains and 23 servers across seven countries as part of Operation Lightning.
Metrics
infrastructure
23
Servers
During the action day on March 11, law enforcement agencies successfully took down and seized 34 domains as well as 23 servers located in seven countries.
On Wednesday, the FBI and law enforcement agencies from Austria, France, and the Netherlands seized 34 domains and 23 servers across seven countries as part of Operation Lightning.
Metrics
financial
6,000,000
Stolen / Extorted Funds
It is estimated that this payment platform received almost $6m from proxy service customers.
Metrics
financial
3,500,000
Us
The US also froze about $3.5 million in cryptocurrency linked to SocksEscort.
Metrics
infrastructure
369,000
Different Ip Addresses
Since the summer of 2020, SocksEscort has sold access to about 369,000 different IP addresses, according to the US Justice Department.
Metrics
victims
2,500
Customers
As of last month, the criminal network listed access to about 8,000 infected routers to its customers; 2,500 of those were in the US.
Metrics
financial
1,000,000
Stolen / Extorted Funds
Some of the victims include a customer of a cryptocurrency exchange who lived in New York and was defrauded of $1 million worth of cryptocurrency, a Pennsylvania manufacturing business defrauded of $700,000, and current and former US service members with Military Star cards who were defrauded out of $100,000.
Metrics
victims
124,000
Users
"We know the customer base of SocksEscort had approximately 124,000 users.
Intelligence Sources
Infosecurity-Magazine 2026-03-13
The Register - Cybercrime 2026-03-12