Authorities Dismantle Global SocksEscort Proxy Botnet Exploiting 369,000 IPs
In a significant international law enforcement operation, authorities have successfully dismantled the SocksEscort proxy botnet, a malicious network that compromised residential routers across 163 countries. This botnet exploited approximately 369,000 IP addresses, facilitating large-scale cyber fraud and other illicit activities.
The Operation and Its Impact
The coordinated effort, known as Operation Lightning, involved agencies from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the United States. The operation led to the seizure of 34 domains and 23 servers across seven countries, effectively crippling the botnet’s infrastructure. Additionally, authorities froze $3.5 million in cryptocurrency assets linked to the operation.
Mechanics of the SocksEscort Botnet
SocksEscort operated by infecting home and small business internet routers with malware, enabling cybercriminals to route their internet traffic through these compromised devices. This method allowed malicious actors to mask their true locations and identities, complicating efforts to trace and prevent cybercrimes. The botnet’s reach was extensive, with nearly 8,000 infected routers identified as of February 2026, including 2,500 within the United States.
Financial and Personal Impact on Victims
The exploitation of the SocksEscort botnet resulted in substantial financial losses and personal data breaches. Notable incidents include:
– A New York-based cryptocurrency exchange customer defrauded of $1 million in digital assets.
– A manufacturing company in Pennsylvania suffering a $700,000 loss.
– U.S. service members with MILITARY STAR cards collectively defrauded of $100,000.
These cases underscore the severe consequences of such cybercriminal activities on individuals and businesses alike.
Technical Details of the Malware
The botnet was powered by AVrecon malware, first documented by Lumen Black Lotus Labs in July 2023. Active since at least May 2021, AVrecon targeted approximately 1,200 device models from manufacturers such as Cisco, D-Link, Hikvision, Mikrotik, Netgear, TP-Link, and Zyxel. The malware exploited critical vulnerabilities, including Remote Code Execution (RCE) and command injection flaws, to infiltrate devices. Once infected, these devices could be used to establish remote shells and download additional malicious payloads, further expanding the botnet’s capabilities.
Broader Implications and Similar Operations
The dismantling of the SocksEscort botnet is part of a broader trend of law enforcement agencies targeting large-scale cybercriminal networks. Similar operations include:
– RSOCKS Botnet Takedown (June 2022): The U.S. Department of Justice, in collaboration with international partners, dismantled the RSOCKS botnet, which had compromised millions of devices, including IoT devices and Android phones, to facilitate various cybercrimes.
– Socks5Systemz Botnet Disruption (December 2024): Security researchers uncovered the Socks5Systemz botnet, which utilized over 85,000 hacked devices to power the illegal proxy service PROXY.AM, enabling cybercriminals to anonymize their activities.
– AVRecon Botnet Exposure (July 2023): The AVRecon botnet, leveraging compromised routers, was identified as the engine behind the SocksEscort service, highlighting the persistent threat posed by such networks.
Preventative Measures and Recommendations
To mitigate the risk of similar infections, users are advised to:
– Regularly update router firmware to patch known vulnerabilities.
– Change default passwords to strong, unique credentials.
– Reboot routers periodically to disrupt potential malware operations.
– Replace end-of-life devices with newer models that receive regular security updates.
Conclusion
The successful disruption of the SocksEscort proxy botnet marks a significant victory in the ongoing battle against cybercrime. However, it also serves as a stark reminder of the evolving tactics employed by cybercriminals and the critical importance of robust cybersecurity practices for individuals and organizations worldwide.
