A coordinated international law enforcement operation has dismantled SocksEscort (socksescort.com), a large proxy service that routed cybercriminal traffic through thousands of compromised home and small business routers around the world.
The seizure, announced by the FBI and the US Department of Justice (DOJ), resulted in the seizure of dozens of internet domains and servers, along with the freezing of millions of dollars in cryptocurrency linked to the operation.
SocksEscort functioned like any other proxy service online, where customers paid to route their internet traffic through remote IP addresses. However, investigators say the infrastructure behind the service relied on malware that infected residential routers, turning them into tools for cybercrime without their owners’ knowledge.
According to the DoJ’s press release, the service deployed backdoors on routers used in homes and small businesses. Once infected, those devices could relay internet traffic on behalf of SocksEscort customers. That traffic masking allowed criminals to hide their real location and identity while carrying out financial fraud and account intrusions.
Since mid-2020, the service had advertised access to roughly 369,000 IP addresses worldwide. By February 2026, the SocksEscort application listed around 8,000 actively infected routers, with about 2,500 located in the United States.
Authorities also say access to these compromised routers was used in several fraud schemes. These included cyber criminals routing their activity through the hijacked connections to bypass fraud detection systems and disguise their origin. The method enabled attacks, including bank and cryptocurrency account takeovers, as well as fraudulent unemployment insurance claims.
Worse, unsuspected victims in the US suffered major financial losses. Authorities cited one case involving a New York cryptocurrency exchange customer who lost $1 million in digital assets, while a Pennsylvania manufacturing company was defrauded of $700,000. In another case, current and former US service members using MILITARY STAR credit cards lost roughly $100,000 through fraudulent transactions.
According to Europol’s press release, law enforcement agencies led by Europol, Eurojust in Austria, France, and the Netherlands played a central role in seizing servers connected to the network. Investigators also received support from cybercrime authorities in Bulgaria, Germany, Hungary, and Romania.
Officials say the operation highlights the growing role of compromised consumer devices in organized cybercrime. Home networking devices often run outdated software and rarely receive security monitoring, which makes them a lucrative target for attackers looking to build a botnet of large proxy networks.
Nevertheless, with the domains seized and key infrastructure removed, authorities believe the disruption will weaken SocksEscort’s ability to operate. Investigators continue to analyze seized servers and financial records as they work to identify additional suspects and victims connected to the network.
