SocksEscort began operating in 2009 and its command-and-control infrastructure went undetected by most tools for a very long time, functioning as an industrial-scale anonymity service for cybercriminals. This week, that cover was stripped away. Authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the U.S. executed Operation Lightning, taking down and seizing 34 domains and 23 servers in seven countries.
The scale of the operation underscores the appetite of law enforcement for infrastructure disruption rather than individual arrests. The criminal proxy service enslaved thousands of residential routers worldwide into a botnet for committing large-scale fraud. SocksEscort infected home and small business internet routers with malware. The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers.
The financial toll spans continents. Victims defrauded included a cryptocurrency exchange customer in New York who lost $1 million worth of cryptocurrency; a manufacturing business in Pennsylvania that was defrauded of $700,000; and current and former U.S. service members with MILITARY STAR cards who were defrauded out of $100,000. The proxy network's payment platform received about $5.8 million from its customers, collected primarily through cryptocurrency to mask the money trail.
The technical capabilities were formidable. The malware targets approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, Mikrotik, NETGEAR, TP-Link, and Zyxel. Older equipment, often end-of-life routers with unpatched vulnerabilities, proved particularly vulnerable. The botnet maintained a consistently high volume, claiming an average 20,000 victims weekly since early 2024. At its peak, its impact peaked in January 2025 when it ensnared more than 15,000 victims daily.
What those victims did not realise was transformative: they became unwitting accomplices. Upon infection with the malware, the modems' owners would not be aware that their IP addresses were used for illegitimate activities. A residential IP address from a suburban home carries inherent legitimacy that no proxy farm can replicate. Banks treat traffic from home users differently from traffic from data centres. Fraudsters exploited this asymmetry.
The crimes enabled range from the straightforward to the repugnant. The compromised devices were exploited to facilitate ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM). For cybercriminals, SocksEscort provided the digital equivalent of a sophisticated disguise: hide your true location, appear legitimate, and your attacks succeed at scale.
The disruption creates immediate legal exposure. The takedown poses compliance challenges for the 124,000 registered users who were using the service to mask illicit activities, with authorities now having access to transaction data and preparing for downstream indictments. Forensic analysis of seized payment records and server logs will identify customers. The criminal ecosystem now faces a period of vulnerability.
For legitimate commerce, particularly cryptocurrency exchanges, the implications are sharper. Regulators are drawing a harder line between legitimate privacy tools and criminal evasion infrastructure. Compliant platforms are already moving to verify that user traffic comes from legitimate ISPs rather than compromised botnets. The financial sector learned from this operation: proxy networks exist on a spectrum, and the burden of verification now falls on the platforms.
The broader institutional lesson is straightforward. Black Lotus Labs in 2023 called AVRecon "one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history." Consumer-grade network devices remain a critical vulnerability, yet many households operate without monitoring or security updates. The FBI warned that many small-office/home-office routers remain attractive targets, particularly end-of-life devices lacking security updates.
This operation demonstrates that modern cybercrime infrastructure, once established, can persist openly for more than a decade if it remains beneath certain detection thresholds. What changed was not the technology, but the coordination. When eight nations committed to simultaneous action, the network could not migrate or adapt quickly enough. Law enforcement caught the entirety in a single sweep: customers identified, servers seized, cryptocurrency frozen.