AUTHORITIES disrupted SocksEscort, a malicious proxy service powered by the AVrecon botnet, following a joint operation by law enforcement in the United States and Europe. These proxy services have been linked to roughly 363,000 IP addresses across 163 countries since 2020, with February 2026 figures showing about 8,000 hacked routers including 2,500 in the US.
The FBI said SocksEscort uses AVrecon to target around 1,200 device models from Cisco, D-Link, Hikvision, MicroTik, Netgear, TP-Link and Zyxel, exploiting known vulnerabilities to deploy the malware and create a botnet. According to Europol and the US Justice Department, law enforcement took down 34 domains and 23 servers in seven countries, while the United States froze USD 3.5 million in cryptocurrency.
Lumen Technologies’ Black Lotus Labs assisted the disruption, noting that SocksEscort maintained an average of about 20,000 victims weekly, with communications routed through an average of 15 command-and-control nodes.