SocksEscort

SocksEscort is a criminal residential proxy service that hijacked internet-connected devices, primarily home and small-office routers, and sold access to them as residential proxies to conceal customers’ real locations and IP addresses during cybercrime. Authorities and the FBI assess that the actors behind SocksEscort compromised routers and IoT devices, installed AVrecon malware, and monetized the botnet under the SocksEscort brand. The service is believed to have compromised and sold access to approximately 369,000 devices in 163 countries since 2020, with around 8,000 actively infected routers observed at a given time, including about 2,500 in the United States. SocksEscort relied on AVrecon malware, which targeted roughly 1,200 device models from Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel, primarily affecting SOHO routers and other IoT devices. Reported tradecraft included scanning for internet-exposed vulnerable devices; exploiting known but unpatched remote code execution, command injection, SOAP-related, and other flaws; establishing remote shell access; downloading and executing arbitrary payloads; updating configuration; and, in some cases, achieving persistence by flashing custom firmware that launched AVrecon at startup and disabled update and reflashing features. Infected devices communicated with command-and-control infrastructure over ports 8000 and 8080 using a custom PING/PONG loop. Authorities linked SocksEscort-enabled infrastructure to account takeover of bank and cryptocurrency accounts, fraudulent unemployment claims, ad fraud, password spraying, website exploitation attempts, digital marketplace fraud, banking fraud, romance fraud, DDoS attacks, ransomware activity, and the distribution of child sexual abuse material. The service advertised static residential IPs and sold proxy subscriptions, including 30 proxies for $15 per month and 5,000 proxies for about $200 per month, with payments processed through cryptocurrency-based systems designed to preserve anonymity. Investigators estimated the operation generated more than €5 million in revenue. SocksEscort was dismantled in a coordinated international law enforcement operation involving the United States and multiple European countries. The operation resulted in the seizure of 34 domains, disruption or seizure of 23 servers across seven countries, and the freezing of approximately $3.5 million in cryptocurrency. No additional aliases or sub-groups are directly identified in the provided content.