SocksEscort Proxy Network Disrupted in Major International Law Enforcement Operation

SocksEscort Proxy Network Disrupted in Major International Law Enforcement Operation

First seen 12 Mar 2026, 17:14 UTC JusticeBleepingcomputerTheregisterCyberscoopTechcrunch+25 84% similarity 73.0

Article Content

Browse articles
ThreatCluster

On March 11, 2026, international law enforcement agencies executed Operation Lightning, dismantling the SocksEscort proxy network, which had compromised over 369,000 routers and IoT devices across 163 countries. The network was used by cybercriminals to facilitate large-scale fraud, including ransomware attacks, identity theft, and the distribution of child sexual abuse material (CSAM). Authorities seized 34 domains and 23 servers, and froze $3.5 million in cryptocurrency linked to the operation. The botnet was powered by AVRecon malware, which exploited vulnerabilities in residential modems. Since its inception in 2009, SocksEscort had generated approximately €5 million from its illicit services. The takedown is expected to have a significant impact on ongoing cybercrime activities. Law enforcement agencies involved included the FBI, Europol, and various national police forces from Europe. The operation highlights the growing threat posed by residential proxy networks to cybersecurity.

Key Points: • SocksEscort compromised over 369,000 devices globally, facilitating extensive cybercrime. • Operation Lightning resulted in the seizure of 34 domains and 23 servers across seven countries. • The operation was powered by the AVRecon malware, which targeted residential routers.

ThreatCluster AI

Timeline

2023-01-01
SocksEscort reported to have 280,000 unique victim IPs
2023-05-01
AVRecon malware first detected in the wild
2025-12-19
CVE-2025-68613 published
2026-03-10
CVE-2026-26117 published
2026-03-11
Operation Lightning executed, SocksEscort dismantled

Community

Browse all →