A court-authorized worldwide legislation enforcement operation has dismantled a prison proxy service named SocksEscort that enslaved hundreds of residential routers worldwide right into a botnet for committing large-scale fraud.
“SocksEscort infected home and small business internet routers with malware,” the U.S. Division of Justice (DoJ) mentioned. “The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers.”
SocksEscort (“socksescort[.]com”) is claimed to have provided to promote entry to about 369,000 totally different IP addresses in 163 nations because the summer season of 2020, with the service itemizing practically 8,000 contaminated routers as of February 2026. Of those, 2,500 had been positioned within the U.S.
As of December 2025, SocksEscort’s web site claimed to supply “static residential IPs with unlimited bandwidth” and that they will bypass spam blocklists. It marketed over 35,900 proxies from 102 nations, with a set of 30 proxies costing $15 monthly. A package deal consisting of 5,000 proxies price $200 a month.
The top purpose of companies like SocksEscort is to allow paying prospects to tunnel web visitors by compromised units with out the sufferer’s information, providing them a option to mix in and make it tougher to distinguish malicious visitors from respectable exercise by concealing their true IP addresses and areas.
A few of the victims who had been defrauded as a part of schemes carried out utilizing SocksEscort included a buyer of a cryptocurrency alternate who lived in New York and was defrauded of $1 million price of cryptocurrency; a producing enterprise in Pennsylvania that was defrauded of $700,000; and present and former U.S. service members with MILITARY STAR playing cards who had been defrauded out of $100,000.
In a coordinated announcement, Europol mentioned the trouble, codenamed Operation Lightning, concerned authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the U.S. The disruption train has resulted within the takedown of 34 domains and 23 servers positioned in seven nations. A complete of $3.5 million in cryptocurrency has been frozen.
“These devices, primarily residential routers, were exploited to facilitate various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM),” Europol mentioned. “The compromised devices were infected through a vulnerability in the residential modems of a specific brand.”
“To get access to the proxy service, customers had to use a payment platform that made it possible to anonymously purchase the service using cryptocurrency. It is estimated that this payment platform received more than EUR 5 million from proxy service customers.”
SocksEscort was powered by a malware referred to as AVrecon, particulars of which had been publicly documented by Lumen Black Lotus Labs in July 2023. Nonetheless, it is assessed to be energetic since at the very least Could 2021. The proxy service is estimated to have victimized 280,000 distinct IP addresses starting in early 2025.
Along with turning an contaminated gadget right into a SocksEscort residential proxy, AVrecon is supplied to ascertain a distant shell to an attacker-controlled server and act as a loader by downloading and executing arbitrary payloads. The malware targets roughly 1,200 gadget fashions manufactured by Cisco, D-Hyperlink, Hikvision, Mikrotik, NETGEAR, TP-Hyperlink, and Zyxel.
In an announcement shared with The Hacker Information, a NETGEAR spokesperson mentioned that whereas a few of its units had been reported to be focused in “early stages of the botnet activity in 2016,” the corporate labored rapidly to deploy remediation efforts and that there is no such thing as a indication that its tools had been exploited since then.
“The vast majority of observed devices infected with AVrecon malware are small-office/home-office (SOHO) routers infected using critical vulnerabilities such as Remote Code Execution (RCE) and command injection,” the U.S. Federal Bureau of Investigation mentioned in an alert. “AVrecon malware is written in the C language and primarily targets MIPS and ARM devices.”
To realize persistence, the risk actors have been noticed utilizing the gadget’s built-in replace mechanism to flash a customized firmware picture containing a duplicate of AVrecon, which is hard-coded to execute it on gadget startup. The modified firmware additionally disables the gadget’s replace and flashing options, thereby inflicting the units to be completely contaminated.
“This botnet posed a significant threat, as it was marketed exclusively to criminals and composed solely of compromised edge devices,” the Black Lotus Labs staff mentioned. “Over the past several years, SocksEscort maintained an average size of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes (C2s).”
(The story was up to date after publication to incorporate a response from NETGEAR.)
