GoKawiilLaw enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network that relied solely on edge devices compromised via the AVRecon malware for Linux.
According to Lumen’s Black Lotus Labs (BLL), which helped the U.S. Department of Justice take down Socksescort, the proxy network had a constant average of 20,000 infected devices every week for the past few years.
SocksEscort was first documented by BLL researchers in 2023 and functioned for more than a decade by offering cybercriminals traffic routing services through residential or small business devices.
The service advertised access to “clean” IP addresses from major ISPs - such as Comcast, Spectrum, Spectrum Business, Verizon, and Charter - that could pass multiple blocklists.
"Since the summer of 2020, SocksEscort has offered to sell access to about 369,000 different IP addresses," the U.S. Department of Justice says in a press release today.
"As of February 2026, the SocksEscort application listed approximately 8,000 infected routers to which its customers could buy access, of those, 2,500 were in the United States."
The DOJ says that the SocksEscort service was used in the theft of $1 million worth of cryptocurrency from a user in New York, enabled losses of $700,000 from defrauding a Pennsylvania-based manufacturing business, and caused $100,000 in damages in a fraud impacting current and former United States service members with MILITARY STAR cards.
In Europe, authorities in Austria, France, and the Netherlands, took down multiple SocksEscort servers under the coordination of Europol.
"During the action day, law enforcement agencies successfully took down and seized 34 domains as well as 23 servers located in seven countries," the European agency informs. The US also froze $3.5 million in cryptocurrency.
Currently, all infected devices used in the SocksEscort proxy network have been disconnected from the service.
... continue reading