U.S. and European law enforcement, with private partners, disrupted the SocksEscort proxy network that routed criminal traffic through compromised Linux edge devices. A technical analysis by Lumen’s Black Lotus Labs reported the network averaged about 20,000 infected devices each week for several years.
KEY FACTS
- Service SocksEscort provided criminal proxy access through compromised residential and small business devices
- Malware The network was powered by AVRecon targeting Linux SOHO routers
- Scale Since 2020 the service offered access to roughly 369,000 IP addresses and the app listed about 8,000 infected routers in February 2026
- Enforcement Domains and servers were taken down and U.S. authorities froze cryptocurrency
U.S. Department of Justice press release: losses connected to the service included $1 million in stolen cryptocurrency from a New York user, $700,000 in fraud against a Pennsylvania manufacturer, and $100,000 in damages affecting service members.
Europol: coordinated action removed and seized 34 domains and 23 servers across seven countries, and U.S. authorities froze $3.5 million in cryptocurrency.
The report: AVRecon has been active since at least May 2021 and infected well over 70,000 Linux small office and home office routers by mid-2023. The network relied solely on AVRecon to add nodes and the analysis shows 280,000 unique victim IP addresses seen since early 2025.
To limit the risk of compromise the guidance is to replace routers that have reached end of life, apply the latest firmware updates, change default administrator passwords, and disable remote administration if it is not needed.
WHY IT MATTERS
Disconnecting the SocksEscort infrastructure removes a large pool of residential IP addresses that criminals used to route attacks and fraud. Device lifecycle management and basic router hygiene reduce the pool of vulnerable endpoints.