In a major international law enforcement operation, Europol and the U.S. Department of Justice (DOJ) have dismantled the 'SocksEscort' proxy service, a massive botnet infrastructure used by cybercriminals to conceal fraud and attacks, including cryptocurrency account takeovers. Authorities froze approximately $3.5 million in cryptocurrency linked to the criminal operation.
The coordinated takedown, named Operation Lightning and executed on March 11, 2026, targeted a network of malware-infected home routers and IoT devices. Investigators found that the SocksEscort service had compromised over 369,000 devices across 163 countries, turning them into anonymous proxy nodes. During the action, law enforcement seized 34 domain names and 23 servers located across seven nations and disconnected the infected devices from the network.
The platform, active since at least 2020, allowed customers to pay for proxy access using cryptocurrency through an anonymous payment system. Europol estimates the service generated more than €5 million (roughly $5.7 million) from its users. The proxy infrastructure was used to facilitate a range of crimes, including bank fraud, ransomware, distributed denial-of-service (DDoS) attacks, and notably, cryptocurrency account takeovers. In one cited case, a victim in New York lost about $1 million in crypto.
The investigation was led by Europol's Joint Cybercrime Action Taskforce (J-CAT), initiated in June 2025, with critical support from U.S. agencies including the FBI, IRS Criminal Investigation, and the Department of Defense Office of Inspector General. Technical intelligence was provided by Lumen Technologies' Black Lotus Labs and the Shadowserver Foundation. The malware used, known as AVrecon, exploited vulnerabilities in specific modem brands.
"Proxy services like 'SocksEscort' provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection," said Europol Executive Director Catherine De Bolle, highlighting the significance of the international crackdown.
