AUTHORITIES in the US and Europe disrupted the SocksEscort proxy service, which was powered by the AVrecon botnet and had infected about 360,000 devices since 2020. On 11 March 2026, Europol and partners launched Operation Lightning, revealing that the network compromised more than 369,000 routers and IoT devices across 163 countries, providing over 35,000 proxies to customers.
Investigators seized 34 domains and 23 servers in seven countries and froze €3.5 million in cryptocurrency, disconnecting infected devices from the network. The US DoJ notes that SocksEscort was used to hide IP addresses while carrying out fraud including bank and cryptocurrency account takeovers and fake unemployment claims, with victims losing millions.
As of February 2026, the SocksEscort application listed approximately 8,000 infected routers, of which 2,500 were in the United States, according to court documents cited by authorities.