An international law enforcement operation has dismantled SocksEscort, a cybercrime platform that secretly hijacked hundreds of thousands of home routers to hide malicious internet activity. According to the US Department of Justice, the service provided cybercriminals with access to approximately 369,000 compromised devices, turning them into a massive residential proxy network used for fraud and cyberattacks. Authorities seized 34 domains, 23 servers, and froze approximately $3.5 million in cryptocurrency during the operation.

The SocksEscort platform advertised itself as a residential proxy service, allowing customers to route their internet traffic through ordinary home internet connections. In reality, the network relied on compromised routers and IoT devices infected with malware. The service sold subscription packages that included:

• $15 per month for 30 residential IP addresses

• up to $200 per month for 5,000 proxies

According to investigators, criminals used the network to conduct various illegal activities, including:

• bank account takeovers

• cryptocurrency theft

• fraudulent unemployment claims

• distributed denial-of-service (DDoS) attacks

• malware distribution

The US Department of Justice explained:

“Cybercriminals used the access they purchased on SocksEscort to conceal their true originating IP addresses and locations.”

By routing attacks through residential IP addresses, attackers could make malicious activity appear as if it originated from ordinary households. Investigators believe the SocksEscort botnet had been operating since 2020, primarily targeting home Wi-Fi routers and IoT devices. The malware used in the operation, called AVrecon, exploited known but unpatched vulnerabilities.

In total, the botnet targeted around 1,200 device models, including hardware from:

• Cisco

• D-Link

• Hikvision

• MicroTik

• Netgear

• TP-Link

• Zyxel

Before the takedown, the platform still had access to approximately 8,000 active routers, including 2,500 devices located in the United States.

The infrastructure enabled multiple high-profile fraud cases, including:

• a $1 million cryptocurrency theft from a New York exchange customer

• $700,000 stolen from a Pennsylvania manufacturing company

• $100,000 stolen from US service members using MILITARY STAR cards

Authorities estimate that the SocksEscort platform generated more than €5 million in revenue, accepting payments primarily in cryptocurrency.

Europol Executive Director Catherine De Bolle stated:

“Cybercrime thrives on anonymity. Proxy services like ‘SocksEscort’ provide criminals with the digital cover they need to launch attacks.”

The FBI warns that many device owners never realize their internet connection is being abused by criminals.

Common causes include:

• outdated routers without security updates

• unpatched firmware vulnerabilities

• pirated software installations

• free VPN applications with hidden proxy terms

• cheap IoT devices that come preinstalled with malware

Some proxy networks also persuade users to install apps that promise payment in exchange for sharing internet bandwidth.

The takedown of SocksEscort marks one of the largest international operations against residential proxy botnets in recent years. However, cybersecurity experts warn that millions of outdated routers remain vulnerable worldwide, making them attractive targets for future botnets.

Authorities recommend regularly updating router firmware, disabling remote administration features, and replacing end-of-life networking equipment.