An international law enforcement operation has dismantled a major cybercrime network known as SocksEscort, a criminal proxy service that used thousands of hacked internet routers to facilitate large-scale fraud and cyberattacks. The takedown followed a court-authorized operation involving multiple global agencies and cybersecurity partners. Investigators said the service secretly infected routers belonging to individuals and small businesses, turning them into part of a large botnet used by cybercriminals.
The SocksEscort platform allowed customers to route internet traffic through compromised devices, effectively masking their real location and identity while carrying out illegal activities online. According to investigators, the service offered access to around 369,000 IP addresses across 163 countries since the summer of 2020. As of February 2026, nearly 8,000 routers were still listed as active in the network, including around 2,500 located in the United States.
Authorities explained that the infected devices were mainly residential routers that had been compromised through malware. The malicious software allowed operators of the network to redirect internet traffic through these devices without the knowledge of their owners. By using residential IP addresses instead of suspicious data-center servers, criminals were able to bypass detection systems and appear like normal internet users while conducting illegal activities.
Investigators say the network played a role in a wide range of cybercrimes, including ransomware attacks, distributed denial-of-service (DDoS) attacks, fraud schemes, and the distribution of illegal content. Several victims were linked to the network’s activities, including a cryptocurrency exchange customer in New York who lost about $1 million and a manufacturing business in Pennsylvania that was defrauded of $700,000. U.S. military personnel were also reportedly targeted in separate fraud schemes involving stolen financial information.
The operation to dismantle the botnet, codenamed Operation Lightning, involved law enforcement agencies from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the United States. Authorities successfully seized 34 domains and shut down 23 servers located in seven different countries that were used to operate the network. Investigators also froze about $3.5 million in cryptocurrency connected to the service.
Security researchers linked the network to a malware strain known as AVrecon, which targets small office and home office routers. The malware can establish remote connections to attacker-controlled servers and download additional malicious software. In some cases, attackers modified router firmware so that the malware would automatically run whenever the device restarted, making the infection difficult to remove.
Cybersecurity experts say the takedown highlights the growing threat posed by botnets built from poorly secured internet-connected devices. Routers and other network equipment often run outdated software or use weak default passwords, making them easy targets for attackers. Once compromised, these devices can be quietly recruited into global botnets that criminals use to hide their activities, and launch cyberattacks on a massive scale.
Authorities are now urging individuals and businesses to secure their routers by updating firmware, changing default passwords, and regularly applying security patches. Experts warn that improving basic device security remains one of the most effective ways to prevent similar botnets from emerging in the future.
