US, Europol disrupt SocksEscort network that exploited thousands of residential routers

A cybercriminal platform that offered access to thousands of residential routers was disrupted by law enforcement agencies in the U.S. and Europe on Wednesday. 

The SocksEscort proxy network allowed cybercriminals to purchase access to routers infected with malware. Criminals could conceal their location and IP address by routing their activities through the infected routers. 

The Justice Department said from 2020 to 2026, SocksEscort offered access to about 369,000 different IP addresses in 163 countries but listed about 8,000 IP addresses as of February. Of those 8,000 available for sale, 2,500 were in the U.S. 

In total, 34 domains were seized and 23 servers were taken down by law enforcement agencies in seven countries. U.S. officials also froze access to $3.5 million worth of cryptocurrency. 

Alongside the operation against SocksEscort, the FBI published a flash alert about a malware strain known as AVRecon on Thursday, warning the public that it is targeted at routers and internet-of-things devices.

Threat actors “have been found to compromise routers, install AVrecon Malware, and then sell access to the compromised devices as residential proxies using the SocksEscort residential proxy service.”

SocksEscort uses AVrecon malware “to target approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, MicroTik, Netgear, TP-Link, and Zyxel,” the FBI said. Europol noted that when the devices were infected with the malware, owners would not know that their IP address was being abused.  

Catherine De Bolle, executive director of Europol, said proxy services like SocksEscort “provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection.” 

“By dismantling this infrastructure, law enforcement has disrupted a service that enabled cybercrime on a global scale,” De Bolle said in a statement. 

U.S. officials executed seizure warrants against several U.S. domains that enabled the SocksEscort operation. 

Court documents tied the SocksEscort site to dozens of different cyberscams, including fraudulent unemployment insurance claims, cryptocurrency thefts and the takeover of U.S. bank accounts. 

The people behind SocksEscort allegedly netted more than $5.7 million from the service. 

Law enforcement agencies in Austria, France and the Netherlands took down SocksEscort servers and officials in Bulgaria, Germany, Hungary and Romania were involved in the investigation, which began in June 2025. The DOJ noted that private sector firms like Lumen’s Black Lotus Labs and the Shadowserver Foundation also provided assistance. 

Black Lotus Labs published its own advisory on AVRecon and SocksEscort, writing that over the past several years, the platform “maintained an average size of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes (C2s).” 

In 2023, the company said AVrecon’s botnet was one of the largest it has seen targeting home office routers. 

An FBI official told The Register that SocksEscort had 124,000 users and that they planned to use the seized servers to target other cybercriminal activity. 

U.S. and European law enforcement agencies have ramped upbotnet takedowns in recent years to stymie cybercriminal and nation-state attack campaigns. Botnets like QakBot, 911 S5, IPStorm, KV, DanaBot, Anyproxy, 5socks and others have faced law enforcement scrutiny since 2021.