A court-authorized international law enforcement operation has dismantled a criminal proxy service named SocksEscort that enslaved thousands of residential routers worldwide into a botnet for committing large-scale fraud.
“SocksEscort infected home and small business internet routers with malware,” the U.S. Department of Justice (DoJ) said. “The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers.”
SocksEscort (“socksescort[.]com”) is said to have offered to sell access to about 369,000 different IP addresses in 163 countries since the summer of 2020, with the service listing nearly 8,000 infected routers as of February 2026. Of these, 2,500 were located in the U.S.
As of December 2025, SocksEscort’s website claimed to offer “static residential IPs with unlimited bandwidth” and that they can bypass spam blocklists. It advertised over 35,900 proxies from 102 countries, with a set of 30 proxies costing $15 per month. A package consisting of 5,000 proxies cost $200 a month.
The end goal of services like SocksEscort is to enable paying customers to tunnel internet traffic through compromised devices without the victim’s knowledge, offering them a way to blend in and make it harder to differentiate malicious traffic from legitimate activity by concealing their true IP addresses and locations.
Some of the victims who were defrauded as part of schemes carried out using SocksEscort included a customer of a cryptocurrency exchange who lived in New York and was defrauded of $1 million worth of cryptocurrency; a manufacturing business in Pennsylvania that was defrauded of $700,000; and current and former U.S. service members with MILITARY STAR cards who were defrauded out of $100,000.
In a coordinated announcement, Europol said the effort, codenamed Operation Lightning, involved authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the U.S. The disruption exercise has resulted in the takedown of 34 domains and 23 servers located in seven countries. A total of $3.5 million in cryptocurrency has been frozen.
“These devices, primarily residential routers, were exploited to facilitate various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM),” Europol said. “The compromised devices were infected through a vulnerability in the residential modems of a specific brand.”
“To get access to the proxy service, customers had to use a payment platform that made it possible to anonymously purchase the service using cryptocurrency. It is estimated that this payment platform received more than EUR 5 million from proxy service customers.”
SocksEscort was powered by a malware known as AVrecon, details of which were publicly documented by Lumen Black Lotus Labs in July 2023. However, it’s assessed to be active since at least May 2021. The proxy service is estimated to have victimized 280,000 distinct IP addresses beginning in early 2025.
In addition to turning an infected device into a SocksEscort residential proxy, AVrecon is equipped to establish a remote shell to an attacker-controlled server and act as a loader by downloading and executing arbitrary payloads. The malware targets approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, Mikrotik, NETGEAR, TP-Link, and Zyxel.
In a statement shared with The Hacker News, a NETGEAR spokesperson said that while some of its devices were reported to be targeted in “early stages of the botnet activity in 2016,” the company worked quickly to deploy remediation efforts and that there is no indication that its equipment had been exploited since then.
“The vast majority of observed devices infected with AVrecon malware are small-office/home-office (SOHO) routers infected using critical vulnerabilities such as Remote Code Execution (RCE) and command injection,” the U.S. Federal Bureau of Investigation said in an alert. “AVrecon malware is written in the C language and primarily targets MIPS and ARM devices.”
To achieve persistence, the threat actors have been observed using the device’s built-in update mechanism to flash a custom firmware image containing a copy of AVrecon, which is hard-coded to execute it on device startup. The modified firmware also disables the device’s update and flashing features, thereby causing the devices to be permanently infected.
“This botnet posed a significant threat, as it was marketed exclusively to criminals and composed solely of compromised edge devices,” the Black Lotus Labs team said. “Over the past several years, SocksEscort maintained an average size of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes (C2s).”
(The story was updated after publication to include a response from NETGEAR.)
