A global coalition of law enforcement agencies on Wednesday shut down a botnet built from tens of thousands of hacked home and small-business routers that powered the SocksEscort proxy service. The Department of Justice announced the operation after investigators replaced the SocksEscort site with a seizure notice and moved to seize infrastructure and assets tied to the service.
Europol on SocksEscort Botnet
Europol said the SocksEscort network had allegedly compromised more than 369, 000 routers and Internet of Things devices in 163 countries and that the infected routers “have been disconnected from the service. ” The scale — hundreds of thousands of IP addresses across 163 countries — underlines how widely AVRecon malware was able to propagate through small-office/home-office devices. The figures point to a sprawling, internationally distributed proxy platform rather than an isolated cluster of infections.
FBI and DOJ takedown
Law enforcement in eight countries executed the operation named Operation Lightning, with the FBI and partner agencies seizing 34 domains and 23 servers across seven countries and freezing about $3. 5 million in cryptocurrency. The Department of Justice published a notice of the action and the SocksEscort website was replaced with a seizure banner as part of the disruption. The pattern suggests authorities targeted both the criminal storefront and the underlying infrastructure to deny access to the roughly 124, 000 customers the service reportedly had.
Black Lotus Labs tracking and victims
Cybersecurity firm Black Lotus Labs tracked SocksEscort and said the botnet was composed of around 280, 000 routers since last January and that it was powered by malware called AVRecon. The Register and the Justice Department noted that SocksEscort sold access to about 369, 000 different IP addresses since the summer of 2020, and that as of last month the criminal network listed about 8, 000 infected routers for customers, with 2, 500 in the United States. The service was marketed to criminals and tied to diverse fraud schemes that cost businesses and consumers millions; documented victim losses include a New York cryptocurrency customer defrauded of $1 million, a Pennsylvania manufacturer defrauded of $700, 000, and current and former U. S. service members defrauded of $100, 000. The pattern suggests sellers of illicit residential proxies converted widespread device compromise into a commodity that enabled high-value, targeted fraud.
Still, private-sector partners also played a role: Black Lotus Labs and the Shadowserver Foundation assisted investigators in tracking the network, and Black Lotus Labs previously described AVRecon as one of the largest botnets targeting SOHO routers seen in recent years. That assessment ties the technical tracking to the operational disruption carried out by law enforcement.
For now, prosecutors and investigators say the seized domains, servers, and frozen cryptocurrency will feed further action. The FBI has stated that the servers seized through the operation will most definitely lead to additional evidence that will allow pursuit of further criminal activity, and investigators continue to probe downstream criminals who used SocksEscort. If those forensic leads identify customers among the roughly 124, 000 users, the data suggests prosecutions and civil forfeiture actions could follow as authorities trace the financial and operational chain behind the proxy service.
