Law enforcement from eight countries this week dismantled SocksEscort, a residential proxy service used by criminals to compromise hundreds of thousands of routers worldwide, as the FBI and law enforcement agencies from Austria, France, and the Netherlands seized 34 domains and 23 servers across seven countries as part of Operation Lightning.
The service is responsible for tens of millions of dollars in losses due to activity involving ransomware, ad fraud, account takeovers, identity theft, business email compromises, romance scams, and password spraying, according to FBI Deputy Assistant Director Jason Bilnoski. The US froze approximately USD 3.5 million in cryptocurrency linked to SocksEscort.
The takedown represents a significant victory in combating what had become an entrenched criminal infrastructure. SocksEscort had functioned for more than a decade by offering cybercriminals traffic routing services through residential or small business devices. The service originated in 2009 as a Russian-language service selling access to hacked computers, adapting over the years to maintain operations despite earlier disruption attempts.
The technical mechanism behind SocksEscort made it particularly difficult to detect. The service infected home and small business internet routers with a botnet called AVRecon, a malware that allows criminals to remotely control infected devices and direct internet traffic through the compromised routers. Researchers believe the AVRecon malware was used exclusively for growing SocksEscort, as observed victim IP addresses were not seen in other botnets or services.
The scope of the criminal operation was substantial. The service allegedly compromised over 369,000 routers and Internet of Things devices in 163 countries. The proxy network had a constant average of 20,000 infected devices every week for the past several years. Over half of the infected devices were located in the United States and the United Kingdom, enabling attackers to conduct highly targeted operations.
Specific victims illustrate the financial harm the network inflicted. Documented victims include a cryptocurrency exchange customer in New York who was defrauded of USD 1 million, a Pennsylvania manufacturing business defrauded of USD 700,000, and current and former US service members with Military Star cards who were defrauded out of USD 100,000.
The operation's success depended on international cooperation. Private-sector organisations Lumen's Black Lotus Labs and the Shadowserver Foundation participated in the takedown. This public-private partnership model has become essential in tackling infrastructure-level cybercrime that transcends borders.
Lumen researchers had previously disrupted the AVRecon router botnet in 2023 by null-routing the command-and-control infrastructure across its network, cutting infected devices off from their operators, but this disruption had limited effect and over time operators returned to regular operations, routing communications through 15 command-and-control nodes. The latest operation represents a more comprehensive takedown.
Looking forward, cyber defence requires both enforcement and prevention. The FBI last month launched Operation Winter Shield with 10 key defensive measures that organisations can take to improve their security posture, with tracking and retiring end-of-life tech on a defined schedule being especially important to mitigate the risk of outdated routers being turned into residential proxy networks. One of these measures includes retiring outdated routers, which are particularly vulnerable to infection.
The disruption of SocksEscort demonstrates that even sophisticated criminal infrastructure can be dismantled through sustained international coordination. However, the speed with which the operators previously rebuilt operations after earlier disruptions suggests that shutting down these services requires ongoing vigilance alongside improved basic cyber hygiene across consumer and business networks worldwide.