US, Europol disrupt SocksEscort network that exploited thousands of residential routers

Steven

US, Europol disrupt SocksEscort network that exploited thousands of residential routers

Published: 2026-03-12T21:19:00+00:00

Author image

Summary

Law enforcement in the US and Europe have dismantled SocksEscort, a residential-proxy marketplace that sold access to home routers infected with AVRecon malware. From 2020 to 2026 the service offered access to about 369,000 IP addresses across 163 countries; by February 2026 roughly 8,000 addresses were listed for sale, including about 2,500 in the US. Authorities seized 34 domains, took down 23 servers across seven countries and froze approximately $3.5m in cryptocurrency. Court filings link SocksEscort to a range of frauds — fraudulent unemployment claims, cryptocurrency thefts and takeover of US bank accounts — and allege the operators earned about $5.7m. The multinational operation involved agencies in Austria, France, the Netherlands, Bulgaria, Germany, Hungary and Romania, with private partners such as Lumen’s Black Lotus Labs and the Shadowserver Foundation assisting.

Key Points

  • SocksEscort sold access to compromised residential routers so criminals could route activity through innocent homes and conceal origin IPs.
  • Between 2020 and 2026 the platform offered access to roughly 369,000 IPs across 163 countries; ~8,000 addresses were listed in Feb 2026 (about 2,500 in the US).
  • Law enforcement seized 34 domains, removed 23 servers across seven countries and froze about $3.5m in cryptocurrency; alleged takings totalled about $5.7m.
  • The network used AVRecon malware to target roughly 1,200 device models from vendors including Cisco, D-Link, Hikvision, MicroTik, Netgear, TP-Link and Zyxel.
  • The investigation began in June 2025 and combined efforts from multiple European nations, the US DOJ/FBI and private-sector intel teams like Black Lotus Labs and Shadowserver.
  • Authorities say they will reuse seized infrastructure to pursue further criminal activity associated with the network.

Context and relevance

Residential-proxy services such as SocksEscort provide realistic-looking internet traffic and anonymity, making them attractive to threat actors for fraud, account takeover and content distribution. This takedown is part of a wider trend of coordinated botnet and proxy-network disruptions aimed at choking off criminal infrastructure used in global cyber fraud. For organisations and IT teams, the incident highlights the continuing risk posed by poorly secured home or IoT routers and the need for patching, network segmentation and monitoring of unusual outbound traffic.

Why should I read this

Short and blunt: this was a big hit to a service that turned thousands of unwitting home routers into criminal cover. If you care about fraud, botnets or the security of home-office kit (yes, your router), this story tells you what went down, who helped, how AVRecon worked and why it matters right now.

Source

Source: https://therecord.media/us-europol-disrupt-socksescort-network