SocksEscort Dismantled: Inside the 16-Year Criminal Proxy Network That Infected 369,000 Routers

When the DOJ, Europol, and an international coalition of law enforcement agencies seized the SocksEscort domain on March 12, 2026, they didn’t just shut down another botnet. They ripped out a piece of criminal infrastructure that had been running continuously since 2009 — 16 years of providing anonymity to fraudsters, ransomware operators, bank account thieves, and worse.

The numbers are staggering: 369,000 infected routers and IoT devices across 163 countries. Over 35,000 active proxies available at any time. An estimated 124,000 paying criminal customers over the network’s lifetime. And for most of those 16 years, the router owners had absolutely no idea their home internet connections were being sold to criminals.

SocksEscort wasn’t a hacking tool. It was the invisibility cloak that made other crimes possible.

What SocksEscort Actually Did

To understand why this takedown matters, you need to understand what a criminal proxy service is and why it’s the single most important piece of infrastructure in modern cybercrime.

The Problem Every Criminal Faces

Every internet connection has an IP address. Every fraud attempt, bank account takeover, and ransomware operation leaves a trail of IP addresses in server logs. If a criminal in Russia tries to log into an American’s bank account, the bank’s fraud systems immediately flag the login as suspicious — wrong country, wrong IP range, wrong everything.

The SocksEscort Solution

SocksEscort solved this problem by turning hundreds of thousands of ordinary home routers into proxy servers. When a criminal customer needed to appear as if they were logging in from Denver, SocksEscort routed their traffic through an infected router in Denver. The bank’s fraud detection systems saw a local IP address. The login looked legitimate.

Here’s how it worked:

1. Infection: Routers and IoT devices were infected with malware called AVRecon — a purpose-built Trojan that turned consumer routers into proxy nodes without their owners’ knowledge
2. Enrollment: Infected devices were automatically added to the SocksEscort network and made available to paying customers
3. Sale: Criminal customers purchased proxy access through the SocksEscort website, selecting proxies by geographic location, ISP, and connection type
4. Abuse: Customers routed their criminal traffic through the infected devices, making their activity appear to originate from legitimate residential connections

The result: your grandmother’s router in Ohio could have been the launchpad for a bank account takeover, a fraudulent unemployment claim, or a ransomware negotiation — and neither she nor anyone else would know.

What Crimes SocksEscort Enabled

According to the DOJ and Europol, the proxy network facilitated:

• Bank and cryptocurrency account takeovers — Criminals logged into victims’ financial accounts through local residential IPs to bypass fraud detection
• Fraudulent unemployment insurance claims — During the COVID-era fraud explosion, SocksEscort proxies made fake claims appear to originate from the right geographic locations
• Ransomware operations — Operators used the network to obscure their command-and-control communications
• DDoS attacks — The botnet’s massive scale made it useful for distributed denial-of-service campaigns
• Distribution of child sexual abuse material (CSAM) — Europol specifically flagged this as one of the criminal activities facilitated by the network

The DOJ says these crimes cost Americans “millions of dollars” — almost certainly an understatement given the network’s 16-year operational history and 124,000 customer base.

The Takedown: Operation Details

The takedown was a coordinated international effort:

• 34 domains seized associated with SocksEscort’s operations
• 23 servers seized across seven countries
• Infected routers disconnected from the proxy service
• SocksEscort website replaced with a law enforcement seizure notice

The Scale at Shutdown

While SocksEscort had infected over 369,000 devices over its lifetime, the network’s active size fluctuated. According to cybersecurity firm Black Lotus Labs, which tracked SocksEscort and assisted law enforcement:

• 280,000 routers were part of the botnet as of January 2026
• 8,000 active routers as of February 2026 (suggesting pre-takedown disruption had already reduced the network)
• 2,500 of those were in the United States
• Over half of all victims were located in the U.S. or U.K.

Black Lotus Labs called SocksEscort “one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history.”

A 16-Year History

The timeline of SocksEscort tells its own story:

• 2009: SocksEscort launched as a Russian-language service selling access to compromised computers (first documented by cybersecurity journalist Brian Krebs)
• 2009-2023: The service operated largely uninterrupted, evolving from compromised PCs to residential routers as its primary proxy infrastructure
• 2023: Black Lotus Labs publicly identified the AVRecon malware and SocksEscort connection, calling it one of the largest SOHO router botnets ever observed
• 2023-2026: Despite public exposure, the network continued operating for three more years
• March 12, 2026: International law enforcement finally seized the infrastructure and shut down operations

The 17-year gap from inception to shutdown is the real story. This wasn’t a case of law enforcement being unaware — SocksEscort was publicly documented as early as 2023. The challenge was the international coordination, legal authority, and technical capability required to dismantle a network spanning 163 countries.

Why Proxy Networks Are the Backbone of Cybercrime

SocksEscort wasn’t unique. It was one node in a larger ecosystem of criminal proxy services that form the invisible infrastructure layer of modern cybercrime. Without residential proxy networks, most online fraud becomes dramatically harder to execute.

Think of it this way:

• Phishing gets you the credentials
• Malware gets you the access
• Proxy networks make it all look legitimate

When law enforcement takes down a phishing campaign, the criminals set up a new one in hours. When they seize a malware C2 server, operators switch to backup infrastructure. But residential proxy networks — built on hundreds of thousands of infected consumer devices — take years to build and are extraordinarily difficult to replace.

The Connection to Other Takedowns

SocksEscort’s shutdown didn’t happen in isolation. In the same month:

• INTERPOL’s Operation Synergia III dismantled 45,000 malicious IPs across 72 countries (read our full coverage)
• FBI, Meta, and Thai Police disrupted Southeast Asian scam centers, disabling 150,000 accounts and arresting 21 suspects
• Operation Moonlander (February 2026) took down the Anyproxy and 5socks services — another residential proxy botnet that had been operating for nearly 20 years

This isn’t coincidence. These operations represent a coordinated global assault on the infrastructure layer that enables scams, fraud, and cybercrime at scale. Take away the proxies, and criminals can’t hide. Take away the servers, and criminals can’t operate. Take away the social media accounts, and criminals can’t reach victims.

Is Your Router Infected?

If you own a home router — especially an older model — it’s worth checking whether your device might have been part of SocksEscort or a similar botnet.

Warning Signs

• Unusually slow internet that isn’t explained by your ISP or the number of devices on your network
• Unexpected bandwidth usage visible in your router’s admin interface
• Your IP address appearing in abuse databases — check at AbuseIPDB or Shodan
• Unfamiliar outbound connections in your router’s connection logs

What to Do

1. Reboot your router. Many router botnets, including AVRecon, don’t survive a reboot. This is the simplest first step.
2. Update your router firmware. Log into your router’s admin panel and check for firmware updates. Many infections exploit known vulnerabilities that have been patched.
3. Change default credentials. If you’ve never changed your router’s admin password from the factory default, do it now.
4. Consider replacing old hardware. Routers more than 5 years old often no longer receive security updates. If your router is end-of-life, it’s a permanent security risk.
5. Disable remote management. Unless you specifically need to manage your router from outside your network, turn off remote administration features.

The Bigger Picture

SocksEscort ran for 16 years. It survived public exposure in 2023. It served 124,000 criminal customers. And it only fell because an international coalition of law enforcement agencies coordinated across seven countries to seize its infrastructure simultaneously.

The takedown is a victory. But it’s also a reminder of how long criminal infrastructure can operate when it’s distributed across hundreds of thousands of consumer devices in 163 countries. For every SocksEscort that gets taken down, others continue to operate in the shadows.

The criminal proxy ecosystem isn’t gone. But it just got significantly more expensive and risky to operate. And for the hundreds of thousands of router owners whose devices were unknowingly enlisted in a criminal enterprise — their connections are finally their own again.

Sources

• U.S. Department of Justice, “Authorities Dismantle Global Malicious Proxy Service,” March 13, 2026
• Europol, “Europol and international partners disrupt ‘SocksEscort’ proxy service,” March 13, 2026
• TechCrunch, “Law enforcement shuts down botnet made of tens of thousands of hacked routers,” March 12, 2026
• The Hacker News, “Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries,” March 13, 2026
• Tom’s Hardware, “DoJ dismantles SocksEscort proxy network,” March 14, 2026
• Black Lotus Labs/Lumen Technologies, “Escorted Out,” March 2026
• Help Net Security, “Authorities dismantle SocksEscort proxy network behind millions in fraud,” March 13, 2026