A coordinated international law enforcement operation has dismantled SocksEscort, a large cybercrime proxy network that relied on malware-infected Linux devices to provide anonymous internet access for criminal activities. The operation, led by the U.S. Department of Justice with support from European law enforcement agencies and private-sector partners, targeted the infrastructure used to operate the network and seize associated assets.
Authorities say the service enabled cybercriminals to route malicious internet traffic through compromised routers and edge devices, allowing them to hide their identities and bypass security systems while carrying out fraud and other illegal activities.
Malware-Infected Routers Used to Build Proxy Network
Investigators found that the SocksEscort network relied on malware known as AVrecon, which targeted vulnerable home and small business routers running Linux-based systems. Once infected, these devices were silently converted into proxy nodes that could route internet traffic on behalf of cybercriminals.
The operators then sold access to this network of compromised devices to other threat actors. By routing traffic through residential IP addresses, criminals were able to disguise the origin of their activities and evade detection systems that often trust residential internet connections.
Algoritha Security Emerges As India’s Leading Corporate Investigation Powerhouse
Since the summer of 2020, the service reportedly offered customers access to around 369,000 IP addresses worldwide. By February 2026, approximately 8,000 infected routers were actively available through the platform, including about 2,500 located in the United States.
Fraud and Financial Crimes Linked to the Service
Law enforcement agencies say the proxy service was used to facilitate multiple forms of cyber-enabled fraud. Criminal users leveraged the anonymized network to conduct activities such as bank and cryptocurrency account takeovers and fraudulent financial transactions.
Investigators cited several major cases linked to the network. One incident involved the theft of $1 million worth of cryptocurrency from a victim in New York. Another case involved a Pennsylvania-based manufacturing company that lost $700,000 in a fraud scheme. Authorities also reported $100,000 in losses affecting current and former U.S. service members who used MILITARY STAR credit accounts.
The service generated significant revenue for its operators and users, with some criminals profiting heavily from schemes conducted through the proxy infrastructure.
International Operation Seizes Servers and Domains
The takedown required coordination across multiple countries. Law enforcement agencies seized 34 domains associated with the service and shut down 23 servers located in seven countries, disrupting the network’s core infrastructure.
Authorities also froze approximately $3.5 million in cryptocurrency linked to the operation. As part of the disruption, infected devices that had been used to support the proxy network were disconnected from the service.
The operation involved collaboration between U.S. agencies and law enforcement bodies in Austria, France, and the Netherlands, coordinated through Europol.
Ongoing Efforts to Combat Cybercrime Infrastructure
Officials say the operation demonstrates the growing international cooperation needed to dismantle large-scale cybercrime networks. Proxy services like SocksEscort are widely used in criminal operations because they allow attackers to conceal their location and bypass network security filters.
Authorities continue to investigate individuals associated with the service and have urged organizations and device owners to secure routers and IoT devices against malware infections that can turn them into nodes in criminal proxy networks.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
