An international legal operation has successfully shut down SocksEscort, a criminal proxy service that hijacked hundreds of thousands of residential routers to facilitate global fraud. By infecting devices with malware, the service sold access to compromised IP addresses, allowing cybercriminals to hide their identities and steal millions of dollars from victims.

A coordinated global effort known as Operation Lightning has dismantled SocksEscort, a major proxy service used by criminals to mask their online activities. Law enforcement agencies from the United States and several European nations collaborated to seize dozens of domains and servers that powered the network. Since 2020, the service had offered access to hundreds of thousands of unique IP addresses across more than 160 countries. By taking over home and small business routers, the operation enabled users to bypass security filters and conduct malicious activities under the guise of legitimate residential traffic.

The underlying technology involved infecting unsuspecting hardware with malware, which turned standard internet routers into nodes for a massive botnet. This allowed SocksEscort to reroute internet traffic through the devices of ordinary people without their knowledge or consent. At its peak, the service advertised thousands of active connections, including a significant number located within the United States. Customers paid monthly subscription fees to use these hijacked connections, which were marketed as being capable of evading spam blocklists and providing unlimited bandwidth for fraudulent schemes.

The primary purpose of such services is to provide a layer of anonymity for actors who want to appear as though they are browsing from a specific geographic location. By tunneling their traffic through a victim’s router, attackers can blend in with normal web activity, making it extremely difficult for security systems to flag them as a threat. This camouflage is essential for carrying out large-scale identity theft, financial fraud, and other cybercrimes that require the perpetrator to hide their true location and digital footprint.

The real-world impact of this specific network was devastating, resulting in millions of dollars in losses for individuals and businesses alike. Notable cases linked to the service include a cryptocurrency theft totaling one million dollars from a New York resident and a manufacturing firm in Pennsylvania that was defrauded of seven hundred thousand dollars. Additionally, the network was used to target military members, leading to significant financial losses through compromised service cards. These incidents highlight how residential botnets serve as the backbone for serious financial exploitation.

Following the successful disruption, authorities have frozen millions of dollars in cryptocurrency linked to the illegal operation. The takedown involved seizing twenty-three servers and thirty-four domains spread across seven different countries, effectively crippling the infrastructure used by SocksEscort. This intervention serves as a major blow to the ecosystem of residential proxy services that empower cybercriminals. Law enforcement continues to monitor the situation to prevent similar networks from emerging to fill the void left by this closure.

Source: Authorities Disrupt Socksescort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries