A coordinated international law enforcement operation successfully dismantled SocksEscort, a massive malicious residential proxy network.
Led by the U.S. Justice Department alongside several European allies, the operation disrupted a sophisticated infrastructure that compromised thousands of residential and small business routers globally.
By executing seizure warrants against dozens of U.S.-registered domains, authorities effectively halted a criminal service that facilitated millions of dollars in financial fraud.
SocksEscort functioned as an illicit residential proxy service powered by a sprawling botnet. The operators deployed specialized malware to infect home and small office internet routers.
Once compromised, this malware allowed SocksEscort to silently hijack the devices and route third-party internet traffic through them, as reported by US Court Doc.
The operators monetized this illegal network by selling routing access to other cybercriminals.
Because the network traffic appeared to originate from legitimate residential internet service providers, attackers could easily bypass standard security filters and geolocation blocks that typically flag malicious data center traffic.
Network Scale and Criminal Abuse
The technical scale of the SocksEscort operation was vast. Since the summer of 2020, the proxy service offered its criminal customer base access to approximately 369,000 distinct IP addresses.
Just prior to the takedown in February 2026, the SocksEscort application actively listed around 8,000 infected routers available for immediate use, including 2,500 located directly within the United States.
Cybercriminals aggressively purchased this proxy access to mask their true IP addresses and geographic locations.
This layer of anonymity enabled them to launch targeted, undetected attacks against U.S. persons, businesses, and financial institutions.
This purchased anonymity paved the way for severe financial cybercrime.
Attackers utilized the residential proxies to execute banking takeovers, drain cryptocurrency accounts, and file fraudulent unemployment insurance claims. Court documents outline devastating financial losses across multiple sectors:
- A New York cryptocurrency exchange customer lost $1 million in digital assets.
- A Pennsylvania manufacturing business was defrauded of $700,000.
- Current and former U.S. military personnel were targeted, resulting in $100,000 stolen from MILITARY STAR card accounts.
Dismantling the SocksEscort infrastructure required extensive international collaboration.
The FBI Sacramento Field Office, the IRS Criminal Investigation unit, and the Department of Defense led the American investigation.
Concurrently, law enforcement agencies in Austria, France, and the Netherlands successfully seized and dismantled core SocksEscort servers.
The operation drew investigative support from Europol, Eurojust, and authorities across Bulgaria, Germany, Hungary, and Romania.
Additionally, private cybersecurity organizations, including Lumen’s Black Lotus Labs and the Shadowserver Foundation, provided essential threat intelligence to map the botnet.
Through programs like the International Computer Hacking and Intellectual Property (ICHIP) network, global authorities continue to share technical resources to actively combat and dismantle emerging cyber threats.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
