Europol Dismantles Global SocksEscort Botnet

Catenaa, Saturday, March 14, 2026- International authorities dismantled a major cybercrime network that used infected home routers and smart devices to run a global proxy service, seizing millions in cryptocurrency and shutting down critical infrastructure.

The operation, led by Europol and supported by United States investigators, targeted the proxy platform known as SocksEscort. Officials said the service secretly infected more than 369,000 routers and internet-connected devices worldwide.

Law enforcement agencies seized 34 domains and 23 servers linked to the network while freezing about $3.5 million in cryptocurrency believed to be connected to criminal activity.

The takedown, called Operation Lightning, was coordinated by Europol’s Joint Cybercrime Action Taskforce and involved authorities across seven countries. Investigators said the network allowed criminals to route online traffic through compromised residential internet connections to hide their identities.

Officials said the proxy system offered more than 35,000 anonymous internet connections that cybercriminals could use to launch attacks or conceal fraud schemes.

Prosecutors in the US Attorney’s Office for the Eastern District of California described multiple financial crimes tied to the network. In one case, a customer at a New York cryptocurrency exchange lost about $1 million in digital assets.

A manufacturing company in Pennsylvania was also defrauded of roughly $700,000, while several military service members and veterans collectively lost more than $100,000 in related scams.

Investigators said the network relied on malware that secretly infected routers, security cameras and other internet-connected devices. Once compromised, those devices relayed internet traffic for criminals without the owners’ knowledge.

Authorities said the service enabled a wide range of illegal activities including ransomware attacks, distributed denial-of-service operations, identity theft and account takeovers.

Some of the infrastructure was also used to distribute child sexual abuse material, according to law enforcement officials involved in the investigation.

Cybersecurity analysts say residential proxy services have become an important tool for online criminal groups because they make malicious traffic appear to originate from ordinary home internet connections.

That technique allows attackers to bypass fraud detection systems that rely on suspicious IP address monitoring or geographic filters.

Investigators said the SocksEscort network processed more than $5.7 million in cryptocurrency payments for proxy subscriptions since its launch in 2022.

Blockchain tracing by cybersecurity partners helped authorities identify dozens of digital wallets connected to the service and track funds linked to ransomware groups and online fraud operations.

Officials said many of the compromised routers were consumer devices that had not received security updates or still used default passwords.

The network infected devices across at least 163 countries, highlighting the global scale of the operation.

Authorities said the seized servers contained command-and-control systems used to manage infected devices and distribute malicious software updates.

Europol said the takedown significantly disrupted the service, removing most of its proxy capacity and preventing criminals from using the compromised infrastructure.

Investigators are continuing efforts to identify the operators and customers behind the network.

Law enforcement agencies also warned internet users to update router firmware, change default passwords and secure home networks to prevent similar attacks in the future.