Authorities Dismantle Global Proxy Network Exploiting Home Routers for Cybercrime
In a significant blow to cybercriminal operations, an international law enforcement coalition led by the U.S. Department of Justice has successfully dismantled SocksEscort, a vast residential proxy network. This malicious service had compromised thousands of home and small business routers worldwide, enabling cybercriminals to mask their identities and execute large-scale financial fraud.
The Operation of SocksEscort
SocksEscort’s infrastructure was built upon deploying malware directly onto vulnerable internet routers. Once infected, these devices were covertly transformed into nodes within an extensive proxy network. The operators of SocksEscort then sold access to this network to other cybercriminals. By routing their malicious traffic through compromised home and business networks, attackers could conceal their true originating IP addresses and physical locations.
Residential IP addresses typically have high trust reputations, allowing attackers to bypass standard geographic blocking and security filters with ease. The scale of SocksEscort’s operation was extensive:
– Since the summer of 2020, SocksEscort offered its customers access to approximately 369,000 unique IP addresses.
– In February 2026 alone, the platform’s application actively listed roughly 8,000 infected routers for sale.
– Approximately 2,500 of these actively compromised devices were located within the United States.
The anonymity provided by SocksEscort facilitated severe cyber-enabled crimes, including bank account takeovers, fraudulent unemployment insurance claims, and large-scale cryptocurrency theft. The financial toll on American citizens and businesses reached into the millions. Notable incidents linked to the proxy network include:
– A New York resident who lost $1 million in a cryptocurrency exchange account takeover.
– A Pennsylvania manufacturing business defrauded of $700,000.
– Current and former U.S. military personnel who had $100,000 drained from their MILITARY STAR cards due to compromised cards.
Global Coordination and Takedown
Disrupting the botnet required extensive global teamwork. The U.S. government seized related domains, while law enforcement agencies in Austria, France, and the Netherlands dismantled the physical servers supporting the SocksEscort network. The FBI Sacramento Field Office, the IRS Criminal Investigation unit, and the Department of Defense spearheaded the investigation, collaborating closely with Europol, Eurojust, and authorities across Germany, Bulgaria, Hungary, and Romania.
Private sector researchers from Lumen’s Black Lotus Labs and the Shadowserver Foundation provided crucial threat intelligence to support the takedown.
Mitigation Steps to Prevent Future Compromises
To prevent networks from being recruited into proxy botnets like SocksEscort, experts recommend the following mitigation steps:
– Regularly update router firmware to patch newly discovered vulnerabilities.
– Change all default administrative passwords to strong, unique credentials.
– Disable remote management interfaces on consumer routers to block external access from the public internet.
– Monitor network traffic for unusual outbound connections or unexplained bandwidth spikes.
By implementing these measures, individuals and businesses can significantly reduce the risk of their devices being exploited by malicious proxy services.
