Listen to this Post
In a significant blow to international cybercrime, law enforcement agencies across the United States and Europe, in collaboration with private cybersecurity partners, have successfully dismantled the notorious SocksEscort proxy network. For years, this network exploited compromised edge devices to route malicious internet traffic, affecting tens of thousands of devices worldwide. The operation highlights both the growing sophistication of cybercriminal infrastructures and the global coordination required to fight them.
SocksEscort: A Decade-Long Cyber Threat
SocksEscort, first identified in 2023 by Lumen’s Black Lotus Labs (BLL), operated for over ten years, offering cybercriminals access to “clean” IP addresses from major Internet Service Providers, including Comcast, Spectrum, Verizon, and Charter. The service allowed criminals to bypass blocklists and route traffic anonymously.
The network relied exclusively on AVRecon malware targeting Linux-based routers. This malware infected tens of thousands of small office/home office (SOHO) routers, peaking at over 70,000 devices by mid-2023. Lumen researchers estimated that the network maintained an average of 20,000 active infected devices weekly.
The U.S. Department of Justice reported that since 2020, SocksEscort sold access to around 369,000 IP addresses. By February 2026, the service listed roughly 8,000 infected routers for purchase, with 2,500 located in the United States.
Impact on Victims and Financial Losses
SocksEscort enabled large-scale financial crimes. Authorities attribute $1 million in cryptocurrency theft from a New York user, $700,000 in losses to a Pennsylvania manufacturing company, and $100,000 in fraud affecting U.S. service members using MILITARY STAR cards to the network’s operations.
In Europe, authorities in Austria, France, and the Netherlands coordinated through Europol to seize 34 domains and 23 servers across seven countries. Meanwhile, the U.S. froze $3.5 million in cryptocurrency connected to the network.
AVRecon Malware: The Engine Behind SocksEscort
The AVRecon malware, active since at least May 2021, was responsible for infecting routers and maintaining the SocksEscort network. Despite prior disruptions in 2023, when Lumen null-routed the botnet’s command-and-control (C2) servers, the network quickly recovered, maintaining operations through 15 active C2 nodes.
Researchers observed that over half of the infected devices were located in the U.S. and U.K., providing optimal conditions for routing malicious traffic while evading detection. The malware was largely dedicated to growing the SocksEscort network and did not appear in other botnets.
Emerging Threats: KadNap and Router Security
Earlier this week, Lumen revealed another botnet called KadNap, which targets ASUS routers and other edge devices. Since August 2025, KadNap has infected 14,000 devices, exploiting weaknesses in the Kademlia Distributed Hash Table (DHT) protocol.
To protect against router compromises, experts recommend updating firmware regularly, replacing end-of-life models, changing default admin passwords, and disabling unnecessary remote access panels.
What Undercode Say:
The dismantling of SocksEscort underscores a pivotal trend in modern cybercrime: the shift toward exploiting edge devices rather than traditional desktops or servers. Unlike conventional botnets, SocksEscort leveraged SOHO routers as a proxy network, offering criminals a scalable, difficult-to-detect infrastructure. The operation illustrates both the ingenuity and persistence of cybercriminals and the challenges law enforcement faces in disrupting these networks.
Lumen’s repeated interventions against AVRecon highlight a recurring problem in cybersecurity: takedown operations can be temporarily effective but rarely eradicate determined operators. The network’s ability to resume operations through additional C2 nodes shows that botnet resilience is as much technical as it is organizational.
Geographical concentration in the U.S. and U.K. offered both benefits and risks. While it made routing traffic easier and bypassing blocklists more effective, it also created jurisdictions where coordinated law enforcement action could produce immediate results. The success of the U.S. DOJ and Europol operation demonstrates the importance of international collaboration in tackling these crimes.
SocksEscort’s decade-long operation also demonstrates the profitability of proxy networks. By monetizing compromised routers, cybercriminals could enable a range of crimes—from cryptocurrency theft to military fraud—without directly handling the stolen funds. This model is likely to inspire similar operations unless proactive cybersecurity measures become standard among edge device owners.
The emergence of KadNap shows the problem is evolving. Its use of a novel, though flawed, peer discovery protocol indicates that cybercriminals are experimenting with more resilient networks. Blocking C2 communication, as Lumen did, is effective but reactive. Moving forward, proactive detection, continuous firmware updates, and default security hardening will be crucial.
Cybersecurity awareness among small businesses and individual users remains a critical defense. Many SOHO devices are easily exploitable due to outdated firmware or weak passwords. Widespread education campaigns and manufacturer accountability could significantly reduce the pool of vulnerable devices, limiting opportunities for botnets to thrive.
This takedown also raises broader questions about digital jurisdiction, international law enforcement cooperation, and the allocation of resources to prevent rather than merely respond to cybercrime. Future strategies must balance technical disruption with legal, regulatory, and educational initiatives to achieve lasting results.
Fact Checker Results
✅ The number of infected routers and IP addresses is consistent with Lumen Black Lotus Labs’ reports.
✅ U.S. and European law enforcement actions, including domain seizures and cryptocurrency freezes, have been verified by official DOJ and Europol statements.
❌ Exact financial losses are approximate; some amounts may vary based on ongoing investigations.
Prediction
📈 The disruption of SocksEscort will temporarily reduce proxy-based cybercrime, but new botnets like KadNap indicate attackers will continue evolving.
💡 Increased focus on securing SOHO routers will likely emerge, with manufacturers issuing stronger default security and firmware update mandates.
⚠️ Law enforcement collaboration will grow, but fully eradicating proxy networks may remain challenging as criminals adopt decentralized and encrypted infrastructures.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
