A coordinated international law enforcement operation has dismantled SocksEscort, a criminal proxy service that infected hundreds of thousands of residential routers worldwide to enable large-scale fraud, ransomware distribution, and other cybercrimes.
The Scope of the Threat
According to the U.S. Department of Justice, SocksEscort offered access to approximately 369,000 different IP addresses across 163 countries since summer 2020. As of February 2026, the service listed nearly 8,000 actively infected routers, with 2,500 located in the United States alone.
The proxy service marketed itself as offering “static residential IPs with unlimited bandwidth” that could bypass spam blocklists. Pricing ranged from $15/month for 30 proxies to $200/month for 5,000 proxies—making sophisticated anonymization accessible to cybercriminals at scale.
How Victims Were Defrauded
The criminal infrastructure enabled devastating financial losses:
- $1 million in cryptocurrency stolen from a New York resident
- $700,000 defrauded from a Pennsylvania manufacturing business
- $100,000 stolen from U.S. service members with MILITARY STAR cards
Operation Lightning: The Takedown
Codenamed Operation Lightning, the effort involved law enforcement from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the United States. Key results include:
- 34 domains and 23 servers seized across seven countries
- $3.5 million in cryptocurrency frozen
- Criminal infrastructure dismantled
Europol revealed that compromised devices were exploited for ransomware attacks, DDoS campaigns, and the distribution of child sexual abuse material (CSAM). The devices were primarily infected through a vulnerability in residential modems of a specific brand.
The AVrecon Malware
SocksEscort was powered by AVrecon, a sophisticated malware first documented by Lumen Black Lotus Labs in July 2023 but active since at least May 2021. Key technical details from the FBI alert:
- Written in C language, primarily targeting MIPS and ARM devices
- Targets approximately 1,200 device models from Cisco, D-Link, Hikvision, Mikrotik, NETGEAR, TP-Link, and Zyxel
- Exploits critical vulnerabilities including Remote Code Execution (RCE) and command injection
- Uses device’s built-in update mechanism to flash custom firmware containing AVrecon
- Disables device update and flashing features, causing permanent infection
Beyond proxy functionality, AVrecon can establish remote shells and act as a loader for arbitrary payloads.
Why This Matters
Residential proxy botnets represent a growing threat because they allow attackers to:
- Blend malicious traffic with legitimate activity by routing through home IP addresses
- Bypass geographic restrictions and blocklists designed to stop attacks
- Evade attribution by hiding behind victims’ networks
“Over the past several years, SocksEscort maintained an average size of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes,” Black Lotus Labs noted.
Protecting Your Network
Organizations and home users with SOHO routers should:
- Check if your router model is among those targeted (Cisco, D-Link, Hikvision, Mikrotik, NETGEAR, TP-Link, Zyxel)
- Verify firmware is updated to the latest version
- If update fails or router behaves unusually, consider factory reset or replacement
- Change default credentials and disable remote management if not needed
- Monitor network traffic for unusual outbound connections
