A coalition of international law enforcement agencies and private cybersecurity partners has successfully disrupted the SocksEscort proxy network, a long-running cybercrime service that exclusively used edge devices infected with the AVRecon malware for Linux. The operation, supported by intelligence from Lumen's Black Lotus Labs (BLL), was led by the U.S. Department of Justice. According to BLL, the network maintained a persistent infrastructure, averaging 20,000 compromised devices online each week over several years. First identified by researchers in 2023, SocksEscort had been operational for over a decade, selling traffic routing services to cybercriminals seeking to anonymize their activities through residential and small business IP addresses.
The service marketed itself by offering access to "clean" IP addresses from major U.S. internet service providers, including Comcast, Spectrum, Verizon, and Charter. These IPs were promoted as being able to bypass common blocklists, making them valuable for fraud, credential stuffing, and other malicious campaigns. The U.S. Department of Justice revealed that since the summer of 2020, SocksEscort had offered access to approximately 369,000 unique IP addresses. As of February 2026, its application listed around 8,000 infected routers available for customer purchase, with 2,500 of those located within the United States, highlighting the significant domestic footprint of the botnet.
The takedown underscores the tangible financial harm caused by such proxy networks. Authorities directly linked SocksEscort to substantial criminal losses, including the theft of $1 million in cryptocurrency from a New York victim and a $700,000 fraud scheme targeting a Pennsylvania-based company. By providing a layer of anonymity, these services lower the barrier for cybercrime, enabling everything from ransomware attacks and data theft to financial fraud. The disruption of SocksEscort represents a critical blow to the cybercriminal ecosystem's infrastructure, removing a key tool used to obfuscate the origins of attacks.
This operation is part of a broader trend of targeting the foundational services that enable cybercrime, such as botnets, proxy networks, and initial access brokers. The success hinged on close collaboration between public agencies and private sector threat intelligence teams like Black Lotus Labs. For organizations and individuals, the incident serves as a stark reminder of the importance of securing network edge devices, like routers and IoT equipment, which are often overlooked. Regular firmware updates, strong password policies, and disabling unnecessary remote management features are essential steps to prevent devices from being conscripted into such malicious networks.
