A court-authorised international law enforcement operation has dismantled SocksEscort, a proxy service that exploited thousands of residential routers to form a botnet for large-scale fraud, according to the U.S. Department of Justice. SocksEscort promised access to about 369,000 IP addresses in 163 countries since summer 2020, with nearly 8,000 infected routers reported in February 2026, of which 2,500 were in the United States.
Europol said the effort, codenamed Operation Lightning, involved authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the United States, resulting in the takedown of 34 domains and 23 servers across seven countries and the freezing of $3.5 million in cryptocurrency.
The end goal was to route traffic through compromised devices to conceal identities, enabling activities such as ransomware and DDoS attacks, and the service allegedly marketed access to the proxy network using cryptocurrency. Reported victims included a New York cryptocurrency exchange customer defrauded of $1 million, a Pennsylvania manufacturing business defrauded of $700,000, and several service members with MILITARY STAR cards defrauded of $100,000. AVrecon malware, linked to SocksEscort, is said to target around 1,200 device models and to enable persistence by flashing modified firmware on routers.