International law enforcement partners have executed Operation Lightning and dismantled malicious proxy service ‘SocksEscort.’
The proxy service is alleged to have compromised over 360,000 routers and internet of things (IoT) devices in163 countries since 2020 and offered ‘SocksEscort’ customers over 35,000 proxies in recent years.
As of February 2026, the SocksEscort application listed approximately 8000 infected routers to which its customers could buy access, of those, 2500 were in the US, a US Department of Justice (DoJ) statement said.
The malware allowed SocksEscort to direct internet traffic through the infected routers, which belonged to both businesses and individuals globally.
The malware-infected routers enabled cybercriminals to conceal their true originating IP addresses and locations, which furthered frauds like takeovers of US banks and cryptocurrency accounts and fraudulent unemployment insurance claims.
SocksEscort also enabled other criminal activities, including ransomware, distributed denial-of-service (DDoS) attacks and the distribution of child sexual abuse material (CSAM).
To get access to the proxy service, customers had to use a payment platform that made it possible to anonymously purchase the service using cryptocurrency. It is estimated that this payment platform received almost $6m from proxy service customers.
To protect against such exploits, router users, and vendors are advised to update the firmware of their devices regularly.
During the action day on March 11, law enforcement agencies successfully took down and seized 34 domains as well as 23 servers located in seven countries.
The US also froze $3.5m in cryptocurrency.
Law enforcement agencies involved in Operation Lightning included those from the US, Austria, France and the Netherlands. The European Union Agency for Criminal Justice, Eurojust, was also involved.
On the action day, Europol hosted a Virtual Command Post in its premises in The Hague, the Netherlands, to facilitate coordination between all partners.
Lumen Technologie’s Black Lotus Labs and the Shadowserver Foundation both provided assistance during the investigation and operation.
