An international operation with judicial authorization has just dismantled a criminal proxy service that had turned domestic and small business routers into an extensive remote network for fraudulent activities. According to the U.S. Department of Justice, the service, known as SocksEscort, installed malware on edge equipment to route traffic through them and then sold that access to third parties.
Prosecutors and security forces describe a scheme that not only dealt with residential IP addresses, but also allowed their clients to hide their real origin, confusing detection systems and armored scams behind apparently legitimate traffic. The American Government explains the details in its official statement; it can be read here: Department of Justice - note on SocksEscort.
The figures that have transcended show the scale of the problem: since the summer of 2020 the service would have put to sale access hundreds of thousands of IP addresses distributed by more than a hundred countries; in early 2026 the platform listed thousands of committed routers, with a significant number located in the United States. The service's own page promised, at least until the end of 2025, "static residential addresses with unlimited bandwidth" and price schemes designed for different use volumes.
It was not a simple proxy: the technical infrastructure behind SocksEscort was based on a malware known as AVrecon, which industry researchers had already documented in advance. This malicious piece was able not only to convert a device into proxy, but also to open a remote shell and download additional executions, making it a versatile input door for different types of attacks. A technical summary and official alerts provide more context on these capabilities and the variety of devices affected: FBI / IC3 alert and the analysis of Black Lotus Labs researchers, who have followed the evolution of AVrecon.
The models attacked cover a wide range of commercial and domestic devices: manufacturers such as Cisco, D-Link, Hikvision, Mikrotik, Netgear, TP-Link and Zyxel were among those noted. The attackers reportedly took advantage of serious failures, including errors that allow remote code execution or command injections, to implement the malicious code. In addition, to ensure persistence, in many cases the legitimate firmware update mechanism of the equipment was used to record a modified image that disable the update functions, leaving the device permanently compromised.
The practical consequence for the victims was twofold: on the one hand, their teams were under the control of attackers; on the other, this infrastructure allowed criminals to operate with a large sigil. Europol synthesized the impact by warning that the hijacked machines served to facilitate from denial of service attacks and ransomware campaigns to the distribution of illegal material. The coordinated intervention, called Operation Lightning, involved security forces from various European countries and the United States; the EU body explains the operation and its results here: Europol - Communication on the interruption of SocksEscort.
At the economic level, the damage has been real and documented. Individual cases of millions of losses have been identified: from a user of a cryptomoneda exchange that was stripped of about a million dollars, to a manufacturing company that suffered a fraud for hundreds of thousands. In addition, there were victims among military personnel who saw funds being removed from specific service cards. The investigations have also succeeded in freezing encrypted assets associated with illicit activity.
Those responsible for the operation point out that the service was based within an ecosystem designed to preserve the anonymity of the buyers: the purchase of access was made through payment platforms in cryptomoneda, which according to the authorities provided multi-million income for those operating the infrastructure. The authorities managed to disable dozens of domains and servers linked to the network, and freeze significant amounts of cryptoforeign exchange linked to the scheme.
From a technical point of view, what makes a service like SocksEscort particularly dangerous is that it sells digital camouflage: by sending traffic through real residential devices, an attacker may seem local or legitimate for security systems and online platforms, making traceability and attribution difficult. Industry researchers have stressed that at the time the botnet maintained a sustained number of weekly victims for tens of thousands and operated with multiple command and control nodes to prevent their interruption.
For those who use domestic networks or manage small infrastructure, the lesson is clear: many attacks start using default settings, outdated firmware or exposed remote management services. Maintain up-to-date equipment, change default passwords, deactivate remote administration when not required and apply the security corrections published by manufacturers are key measures to reduce the risk of intrusion. Authorities and response teams recommend reviewing public warnings and applying patches; the FBI technical notice is a good starting point for administrators and users concerned about this threat.
The SocksEscort case is also a broader call for attention: as millions of IoT and routers are integrated into homes and SMEs, the attack area grows and criminals find in these teams a cheap and abundantly available resource. The international police response shows that cooperation between jurisdictions and joint work between the public and private sectors remain essential to defusing illicit networks that operate globally.
If you want to deepen the official sources and the technical analysis that have been emerging, you can see the note from the Department of Justice mentioned above, the Europol statement, the FBI technical bulletin and the follow-up of Black Lotus Labs researchers on AVrecon: DoJ, Europol, FBI / IC3 and the public report of researchers who have followed malware (Black Lotus Labs).
In short, the fall of SocksEscort is a victory for justice, but also a reminder that Internet security begins on each connected device. Protecting home router is not just a technical measure: it is a concrete barrier against fraud that can ruin people and businesses.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...