An international law-enforcement operation dubbed Operation Lightning disrupted SocksEscort, a paid “residential proxy” service that routed criminal traffic through compromised home/small-business routers and IoT devices to provide anonymity for fraud and other cybercrime. Authorities from the US and multiple European countries (including Austria, France, and the Netherlands), supported by Europol and Eurojust and assisted by private-sector partners Lumen’s Black Lotus Labs and the Shadowserver Foundation, reported the botnet had leveraged exploited vulnerabilities in edge devices and was powered by AVRecon (Linux) malware. Officials said SocksEscort advertised access to roughly 369,000 IP addresses since 2020, with Europol stating the infrastructure compromised 369,000+ routers/IoT devices across 163 countries and offered customers tens of thousands of proxies; reporting also noted that, as of February 2026, the service listed about 8,000 infected routers, including roughly 2,500 in the United States.
During the coordinated action, authorities seized 34 domains and 23 servers across seven countries, replaced the service’s website with a seizure notice, and the US froze approximately $3.5 million in cryptocurrency tied to the operation; officials also cited the service’s payment platform receiving about $5.8 million from customers. SocksEscort was described as enabling a wide range of downstream criminal activity—including large-scale fraud, account takeovers, identity theft, business email compromise, password spraying, and, per Europol, facilitation of ransomware, DDoS, and distribution of CSAM—with US reporting citing specific victim losses (including a $1M cryptocurrency theft and additional six-figure fraud impacts). Investigators indicated the seized infrastructure and customer data (reported as roughly 124,000 users) will be used to pursue follow-on investigations into both operators and customers of the proxy service.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
In post-takedown disclosures, law enforcement and private-sector partners including Lumen Black Lotus Labs and the Shadowserver Foundation said the SocksEscort network was powered by the AVRecon Linux malware family. They described AVRecon as infecting SOHO routers and edge devices from multiple vendors to provide proxying, persistence, and remote access for the criminal service.
Following the takedown announcement, officials said SocksEscort had enabled fraud, bank and cryptocurrency account takeovers, fraudulent unemployment claims, ransomware, DDoS attacks, and child sexual abuse material distribution. They also linked the service to specific U.S. losses, including about $1 million stolen from a New York cryptocurrency victim, $700,000 from a Pennsylvania manufacturer, and roughly $100,000 involving MILITARY STAR card fraud.
On 11 March 2026, U.S. and European law enforcement agencies, coordinated with Europol and Eurojust, executed Operation Lightning against SocksEscort. The action seized 34 domains and 23 servers across seven countries, froze $3.5 million in cryptocurrency, and disconnected infected devices from the proxy service.
By February 2026, investigators said SocksEscort's application still listed about 8,000 infected routers for sale, including around 2,500 in the United States. This showed the proxy service remained active shortly before the takedown.
Europol said its Joint Cyberaction Task Force opened an investigation into the SocksEscort infrastructure in June 2025. Investigators determined the botnet had been built by exploiting a vulnerability in residential modems from a specific vendor.
Authorities said the SocksEscort service had been offering proxy access to compromised routers and IoT devices since summer 2020, ultimately advertising access to roughly 369,000 IP addresses across 163 countries. The service monetized infected home and small-business devices as residential proxies for cybercriminal use.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
17 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourceteiss.co.uk
Open sourcetomshardware.com
Open sourcescworld.com
Open sourcetherecord.media
Open sourcego.theregister.com
Open sourceeuropol.europa.eu
Open sourceinfosec.pub
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.