SocksEscort Proxy Network Dismantled in Major Cybercrime Bust

Key Points

• International authorities successfully dismantle SocksEscort network, confiscating 34 domains and 23 servers globally.
• Criminal operation compromised more than 369,000 routers across 163 nations worldwide.
• Law enforcement freezes $3.5 million in cryptocurrency linked to the illicit proxy service.
• AVRecon malware served as the backbone for SocksEscort, facilitating fraud, ransomware distribution, and DDoS campaigns.
• International collaboration demonstrates effective cross-border cooperation in combating sophisticated cybercrime.

A sophisticated international cybercrime operation has been successfully dismantled following coordinated action by Europol and United States law enforcement agencies. The operation targeted SocksEscort, an illicit proxy service that weaponized more than 369,000 compromised devices spanning 163 nations. Authorities confiscated multiple domains and servers while freezing $3.5 million in cryptocurrency assets, effectively terminating this extensive IP cloaking scheme.

The enforcement action resulted in the disconnection of compromised modems, rendering the criminal service inoperable. Affected nations will receive notification regarding infected routers within their jurisdictions to enable follow-up actions. This collaborative takedown represents a milestone achievement in global efforts to combat sophisticated cybercrime infrastructure.

The SocksEscort platform enabled threat actors to conceal their geographical locations while executing fraud schemes, ransomware campaigns, and various digital offenses. Operating as a commercial service, it provided access to over 35,000 proxy connections to paying customers seeking anonymous criminal operations. Law enforcement officials indicate this IP cloaking infrastructure enabled extensive attack campaigns and significant financial crimes.

Worldwide Criminal Infrastructure Exposed

Investigators documented SocksEscort operations spanning 163 countries, with infections affecting residential and small business networking equipment. The malicious infrastructure redirected internet communications through compromised devices, effectively obscuring the true origin points of criminal traffic. Thousands of victims in the United States and United Kingdom were identified, demonstrating the operation’s extensive international footprint.

Threat actors exploited this network to infiltrate banking systems and cryptocurrency platforms, while also submitting fraudulent financial claims. One documented U.S. victim suffered approximately $1 million in cryptocurrency losses attributed to attacks routed through this infrastructure. The criminal enterprise reportedly commenced operations in 2020 and experienced rapid expansion.

By February 2026, SocksEscort maintained access to 8,000 compromised routers, with 2,500 located within U.S. borders. Black Lotus Labs conducted extensive tracking of the botnet, identifying the AVRecon malware as the operational foundation. This IP cloaking infrastructure represented a substantial threat to global digital security.

Coordinated Enforcement Action and Continuing Probes

Europol and the Department of Justice spearheaded a synchronized enforcement operation, confiscating 34 domain names and 23 servers distributed across seven countries. U.S. authorities successfully froze $3.5 million in cryptocurrency directly associated with SocksEscort financial transactions. Compromised devices were systematically disconnected, eliminating the operational IP cloaking infrastructure.

Affected nations are receiving official notifications to facilitate continued investigations and potential prosecution efforts. The operation showcases the power of international coordination in neutralizing sophisticated cybercrime infrastructure. The disruption of this router-based IP cloaking operation will substantially hinder similar criminal activities moving forward.

SocksEscort specifically exploited small-office and home-office networking devices, providing criminals with capabilities to execute precision fraud operations. Law enforcement confirmed the proxy infrastructure facilitated ransomware deployment, distributed denial-of-service attacks, and illegal content distribution. The termination of SocksEscort eliminates one of the most extensive IP cloaking operations documented in recent years.

The post SocksEscort Proxy Network Dismantled in Major Cybercrime Bust appeared first on Blockonomi.