U.S. and European authorities have dismantled Socksescort, a residential proxy network powered by AVRecon malware that quietly hijacked more than 369,000 devices across 163 countries. Operating since 2020, the service sold access to infected home routers, allowing criminals to disguise their IP addresses while carrying out cryptocurrency account takeovers, bank fraud, ransomware attacks and other schemes.

Victims reportedly lost millions, including $1 million from a New York crypto investor and $700,000 from a Pennsylvania business. During “Operation Lightning,” officials seized 34 domains, shut down 23 servers in seven countries, froze $3.5 million in cryptocurrency payments, and disconnected thousands of infected devices from the network. The crackdown involved the U.S. Department of Justice (DOJ), FBI, IRS Criminal Investigation, Europol, Eurojus,t and several European law enforcement agencies. Investigators say the service generated about $5.7 million for operators while exposing roughly 124,000 proxy users who relied on the botnet’s anonymity.

Authorities believe evidence from seized servers could lead to additional prosecutions. Officials also warned that compromised routers remain a weak point in global cybersecurity, urging owners to update firmware, secure devices, and replace outdated hardware. Experts say dismantling the network removes a key tool used to hide ransomware operations, DDoS attacks, and crypto-related fraud carried out through residential proxy infrastructure.

• What was the Socksescort proxy network? Socksescort was a residential proxy service using AVRecon malware to hijack over 369,000 routers and IoT devices for anonymous internet access.
• Who coordinated the Socksescort takedown? The DOJ, FBI, IRS-CI, Europol, Eurojust and European law enforcement agencies worked together in Operation Lightning.
• How much cryptocurrency was seized in the operation? Authorities froze approximately $3.5 million in cryptocurrency linked to payments to the proxy service operators.
• How did AVRecon infect routers worldwide? AVRecon exploited vulnerabilities in outdated or poorly secured routers, quietly adding them to a global proxy botnet.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。