INTERNATIONAL law enforcement partners executed Operation Lightning and dismantled the proxy service SocksEscort, which is alleged to have compromised over 360,000 routers and IoT devices in 163 countries since 2020 and offered its customers over 35,000 proxies in recent years. As of February 2026, the SocksEscort application listed approximately 8,000 infected routers to which its customers could buy access, of which 2,500 were in the US, a US Department of Justice statement said.
The malware allowed SocksEscort to direct internet traffic through the infected routers, concealing origin IP addresses and locations and enabling frauds such as takeovers of US banks and cryptocurrency accounts and fraudulent unemployment insurance claims, while also enabling ransomware, DDoS attacks and the distribution of CSAM. To access the service, customers used a payment platform that anonymously processed cryptocurrency, and it is estimated the platform received almost $6m from proxy service customers.
During the action day on 11 March, authorities seized 34 domains and 23 servers in seven countries, and the US froze $3.5m in cryptocurrency, with involvement from US, Austria, France, the Netherlands, Eurojust and Europol, which hosted a Virtual Command Post in The Hague. Lumen Technologies’ Black Lotus Labs and the Shadowserver Foundation provided assistance during the investigation.