{"id":256,"date":"2026-03-13T07:22:19","date_gmt":"2026-03-13T07:22:19","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=256"},"modified":"2026-03-13T07:22:19","modified_gmt":"2026-03-13T07:22:19","slug":"authorities-disrupt-socksescort-proxy-botnet-exploiting-369000-ips-across-163-countries","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=256","title":{"rendered":"Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries"},"content":{"rendered":"
\n
<\/a><\/div>\n

A court-authorized international law enforcement operation has dismantled a criminal proxy service named SocksEscort<\/strong> that enslaved thousands of residential routers worldwide into a botnet for committing large-scale fraud.<\/p>\n

\u00abSocksEscort infected home and small business internet routers with malware,\u00bb the U.S. Department of Justice (DoJ) said<\/a>. \u00abThe malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers.\u00bb<\/p>\n

SocksEscort (\u00absocksescort[.]com\u00bb) is said to have offered to sell access to about 369,000 different IP addresses in 163 countries since the summer of 2020, with the service listing nearly 8,000 infected routers as of February 2026. Of these, 2,500 were located in the U.S.<\/p>\n

As of December 2025, SocksEscort’s website claimed to offer \u00abstatic residential IPs with unlimited bandwidth\u00bb and that they can bypass spam blocklists. It advertised over 35,900 proxies from 102 countries, with a set of 30 proxies costing $15 per month. A package for 5,000 proxies costed $200 a month.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The end goal of services like SocksEscort is to enable paying customers to tunnel internet traffic through compromised devices without the victim’s knowledge, offering them a way to blend in and make it harder to differentiate malicious traffic from legitimate activity by concealing their true IP addresses and locations.<\/p>\n

Some of the victims who were defrauded as part of schemes carried out using SocksEscort included a customer of a cryptocurrency exchange who lived in New York and was defrauded of $1 million worth of cryptocurrency; a manufacturing business in Pennsylvania that was defrauded of $700,000; and current and former U.S. service members with MILITARY STAR cards who were defrauded out of $100,000.<\/p>\n

In a coordinated announcement, Europol said the effort, codenamed Operation Lightning, involved authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the U.S. The disruption exercise has resulted in the takedown of 34 domains and 23 servers located in seven countries. A total of $3.5 million in cryptocurrency has been frozen.\u00a0<\/p>\n

\"\"<\/a><\/div>\n

\u00abThese devices, primarily residential routers, were exploited to facilitate various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM),\u00bb Europol said<\/a>. \u00abThe compromised devices were infected through a vulnerability in the residential modems of a specific brand.\u00bb<\/p>\n

\u00abTo get access to the proxy service, customers had to use a payment platform that made it possible to anonymously purchase the service using cryptocurrency. It is estimated that this payment platform received more than EUR 5 million from proxy service customers.\u00bb<\/p>\n

SocksEscort was powered by a malware known as AVrecon, details of which were publicly documented by Lumen Black Lotus Labs in July 2023. However, it’s assessed to be active since at least May 2021. The proxy service is estimated to have victimized 280,000 distinct IP addresses beginning in early 2025.<\/p>\n

In addition to turning an infected device into a SocksEscort residential proxy, AVrecon is equipped to establish a remote shell to an attacker-controlled server and act as a loader by downloading and executing arbitrary payloads. The malware targets approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, Mikrotik, Netgear, TP-Link, and Zyxel.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThe vast majority of observed devices infected with AVrecon malware are small-office\/home-office (SOHO) routers infected using critical vulnerabilities such as Remote Code Execution (RCE) and command injection,\u00bb the U.S. Federal Bureau of Investigation said<\/a> in an alert. \u00abAVrecon malware is written in the C language and primarily targets MIPS and ARM devices.\u00bb<\/p>\n

To achieve persistence, the threat actors have been observed using the device’s built-in update mechanism to flash a custom firmware image containing a copy of AVrecon, which is hard-coded to execute it on device startup. The modified firmware also disables the device’s update and flashing features, thereby causing the devices to be permanently infected.<\/p>\n

\u00abThis botnet posed a significant threat, as it was marketed exclusively to criminals and composed solely of compromised edge devices,\u00bb the Black Lotus Labs team said<\/a>. \u00abOver the past several years, SocksEscort maintained an average size of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes (C2s).\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A court-authorized international law enforcement operation has dismantled a criminal proxy service named SocksEscort that enslaved thousands of residential routers worldwide into a botnet for committing large-scale fraud. \u00abSocksEscort infected…<\/p>\n","protected":false},"author":1,"featured_media":257,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[650,192,8,651,653,654,354,652],"class_list":["post-256","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-authorities","tag-botnet","tag-countries","tag-disrupt","tag-exploiting","tag-ips","tag-proxy","tag-socksescort"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/256","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=256"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/256\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/257"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=256"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=256"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}