Authorities dismantled the SocksEscort proxy service in March 2026 after a court authorized international operation that seized infrastructure, froze $3.5 million in cryptocurrency and removed a botnet of infected residential routers, a press release from the U.S. Department of Justice said.
KEY FACTS
- Incident court-authorized takedown of the SocksEscort proxy service
- Scope access to about 369,000 IP addresses across 163 countries and nearly 8,000 infected routers listed as of February 2026
- Malware AVrecon infected SOHO routers and could embed custom firmware for persistence
- Impact $3.5 million in cryptocurrency frozen and documented fraud losses to multiple victims
The disruption, undertaken under Operation Lightning, removed 34 domains and 23 servers located across seven countries and curtailed a proxy service that advertised static residential IPs for criminal use.
Documented fraud incidents include a New York cryptocurrency customer who lost $1 million, a Pennsylvania manufacturing firm that lost $700,000 and current and former U.S. service members whose MILITARY STAR cards were used to steal about $100,000.
Technically, the botnet used AVrecon malware to target roughly 1,200 device models from multiple vendors using remote code execution and command injection. The malware could open remote shells, download arbitrary payloads and persist by flashing modified firmware that disables updates.
The service offered tens of thousands of residential proxies for sale with tiered pricing and accepted anonymous cryptocurrency payments. The payment platform linked to the service is reported to have received more than EUR 5 million from customers.
WHY IT MATTERS
The takedown reduces a marketed criminal proxy infrastructure that blended illicit traffic with legitimate residential connections. Unpatched small office and home routers remain attractive targets and can be permanently compromised if firmware is overwritten.