US Disrupts SocksEscort Proxy Network Powered by Linux Malware
Summary:
A coordinated international law enforcement operation dubbed Operation Lightning has disrupted SocksEscort, a long-running criminal residential proxy network that monetized compromised SOHO routers as anonymization infrastructure for paying cybercriminals.
Active since at least 2020 and originating as a Russian-language service, SocksEscort was powered by AVRecon, a C-language malware targeting MIPS and ARM architectures across approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel.
AVRecon achieved persistence by flashing a custom firmware image through the device's own update mechanism, disabling future patching and hardcoding malware execution at startup. As of February 2026, the network listed roughly 8,000 actively infected routers available for sale, 2,500 of which were located in the United States, with a total reach across approximately 369,000 IP addresses in 163 countries since inception.
The operation, led by the U.S. Department of Justice with participation from Austria, France, and the Netherlands under Europol coordination, resulted in the seizure of 34 domains and 23 servers across seven countries and the freezing of approximately $3.5 million in cryptocurrency.
Lumen's Black Lotus Labs and the Shadowserver Foundation contributed to the takedown. An FBI flash alert on AVRecon was also published concurrently.
Security Officer Comments:
SocksEscort functioned as a full-service anonymization marketplace, allowing criminal customers to purchase proxy access priced as low as $15/month for 30 nodes, with packages scaling to 5,000 proxies for $200/month, advertising static residential IPs with the ability to bypass spam blocklists. The downstream criminal activity enabled by the network was extensive and directly harmful: documented losses include $1 million in cryptocurrency theft from a New York victim, $700,000 in fraud against a Pennsylvania manufacturing firm, and $100,000 in damages targeting U.S. military service members via MILITARY STAR card fraud.
At scale, the FBI characterized SocksEscort as responsible for tens of millions of dollars in losses from ransomware, DDoS attacks, ad fraud, account takeovers, business email compromise, identity theft, romance scams, password spraying, and distribution of child sexual abuse material. The network maintained an average of approximately 20,000 weekly active victim nodes, and a prior 2023 disruption by Black Lotus Labs proved short-lived, SocksEscort operators recovered and resumed operations, underscoring the resilience of SOHO botnet infrastructure.
Suggested Corrections:
Organizations and individuals operating SOHO routers should treat unpatched edge devices as an active risk:
http://www.justice.gov/usao-edca/pr...-proxy-service-deployed-malware-and-defrauded
A coordinated international law enforcement operation dubbed Operation Lightning has disrupted SocksEscort, a long-running criminal residential proxy network that monetized compromised SOHO routers as anonymization infrastructure for paying cybercriminals.
Active since at least 2020 and originating as a Russian-language service, SocksEscort was powered by AVRecon, a C-language malware targeting MIPS and ARM architectures across approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel.
AVRecon achieved persistence by flashing a custom firmware image through the device's own update mechanism, disabling future patching and hardcoding malware execution at startup. As of February 2026, the network listed roughly 8,000 actively infected routers available for sale, 2,500 of which were located in the United States, with a total reach across approximately 369,000 IP addresses in 163 countries since inception.
The operation, led by the U.S. Department of Justice with participation from Austria, France, and the Netherlands under Europol coordination, resulted in the seizure of 34 domains and 23 servers across seven countries and the freezing of approximately $3.5 million in cryptocurrency.
Lumen's Black Lotus Labs and the Shadowserver Foundation contributed to the takedown. An FBI flash alert on AVRecon was also published concurrently.
Security Officer Comments:
SocksEscort functioned as a full-service anonymization marketplace, allowing criminal customers to purchase proxy access priced as low as $15/month for 30 nodes, with packages scaling to 5,000 proxies for $200/month, advertising static residential IPs with the ability to bypass spam blocklists. The downstream criminal activity enabled by the network was extensive and directly harmful: documented losses include $1 million in cryptocurrency theft from a New York victim, $700,000 in fraud against a Pennsylvania manufacturing firm, and $100,000 in damages targeting U.S. military service members via MILITARY STAR card fraud.
At scale, the FBI characterized SocksEscort as responsible for tens of millions of dollars in losses from ransomware, DDoS attacks, ad fraud, account takeovers, business email compromise, identity theft, romance scams, password spraying, and distribution of child sexual abuse material. The network maintained an average of approximately 20,000 weekly active victim nodes, and a prior 2023 disruption by Black Lotus Labs proved short-lived, SocksEscort operators recovered and resumed operations, underscoring the resilience of SOHO botnet infrastructure.
Suggested Corrections:
Organizations and individuals operating SOHO routers should treat unpatched edge devices as an active risk:
- Priority actions include verifying firmware versions and applying all available manufacturer updates, reviewing router administrative logs for anomalous outbound connections or unauthorized configuration changes, and auditing for unexpected persistence mechanisms or disabled update functionality, which AVRecon specifically exploits.
- Given the malware's ability to disable the native update and flashing features, devices suspected of compromise should be assumed persistently infected and considered for factory reset via out-of-band recovery methods or physical reset, followed by immediate firmware reinstallation from a trusted source.
- Network defenders should monitor for SOHO devices generating unusual outbound traffic volumes or communicating with unrecognized C2 endpoints, and consider deploying network-level controls to restrict router management interfaces from external access.
http://www.justice.gov/usao-edca/pr...-proxy-service-deployed-malware-and-defrauded