Operation Lightning Takedown of SocksEscort Residential Proxy Botnet
An international law-enforcement operation dubbed Operation Lightning disrupted SocksEscort, a paid “residential proxy” service that routed criminal traffic through compromised home/small-business routers and IoT devices to provide anonymity for fraud and other cybercrime. Authorities from the US and multiple European countries (including Austria, France, and the Netherlands), supported by Europol and Eurojust and assisted by private-sector partners Lumen’s Black Lotus Labs and the Shadowserver Foundation, reported the botnet had leveraged exploited vulnerabilities in edge devices and was powered by AVRecon (Linux) malware. Officials said SocksEscort advertised access to roughly 369,000 IP addresses since 2020, with Europol stating the infrastructure compromised 369,000+ routers/IoT devices across 163 countries and offered customers tens of thousands of proxies; reporting also noted that, as of February 2026, the service listed about 8,000 infected routers, including roughly 2,500 in the United States.
During the coordinated action, authorities seized 34 domains and 23 servers across seven countries, replaced the service’s website with a seizure notice, and the US froze approximately $3.5 million in cryptocurrency tied to the operation; officials also cited the service’s payment platform receiving about $5.8 million from customers. SocksEscort was described as enabling a wide range of downstream criminal activity—including large-scale fraud, account takeovers, identity theft, business email compromise, password spraying, and, per Europol, facilitation of ransomware, DDoS, and distribution of CSAM—with US reporting citing specific victim losses (including a $1M cryptocurrency theft and additional six-figure fraud impacts). Investigators indicated the seized infrastructure and customer data (reported as roughly 124,000 users) will be used to pursue follow-on investigations into both operators and customers of the proxy service.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Officials and partners publicly tie SocksEscort to AVRecon malware
In post-takedown disclosures, law enforcement and private-sector partners including Lumen Black Lotus Labs and the Shadowserver Foundation said the SocksEscort network was powered by the AVRecon Linux malware family. They described AVRecon as infecting SOHO routers and edge devices from multiple vendors to provide proxying, persistence, and remote access for the criminal service.
Authorities publicly detail SocksEscort's criminal use and impact
Following the takedown announcement, officials said SocksEscort had enabled fraud, bank and cryptocurrency account takeovers, fraudulent unemployment claims, ransomware, DDoS attacks, and child sexual abuse material distribution. They also linked the service to specific U.S. losses, including about $1 million stolen from a New York cryptocurrency victim, $700,000 from a Pennsylvania manufacturer, and roughly $100,000 involving MILITARY STAR card fraud.
Operation Lightning disrupts SocksEscort infrastructure
On 11 March 2026, U.S. and European law enforcement agencies, coordinated with Europol and Eurojust, executed Operation Lightning against SocksEscort. The action seized 34 domains and 23 servers across seven countries, froze $3.5 million in cryptocurrency, and disconnected infected devices from the proxy service.
Authorities observe about 8,000 infected routers still listed for sale
By February 2026, investigators said SocksEscort's application still listed about 8,000 infected routers for sale, including around 2,500 in the United States. This showed the proxy service remained active shortly before the takedown.
Europol opens a J-CAT investigation into SocksEscort
Europol said its Joint Cyberaction Task Force opened an investigation into the SocksEscort infrastructure in June 2025. Investigators determined the botnet had been built by exploiting a vulnerability in residential modems from a specific vendor.
SocksEscort begins selling access to compromised residential IPs
Authorities said the SocksEscort service had been offering proxy access to compromised routers and IoT devices since summer 2020, ultimately advertising access to roughly 369,000 IP addresses across 163 countries. The service monetized infected home and small-business devices as residential proxies for cybercriminal use.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
17 references tracked. Mallory keeps watching after this page renders.
Novel Iran-linked hacking group takes aim at Middle Eastern energy firms | brief | SC Media
scworld.com
Open sourceteiss - News - International operation dismantles SocksEscort botnet that hijacked 369,000 routers for cybercrime
teiss.co.uk
Open sourceDoJ dismantles botnet made of 360,000 infected routers and IOT devices spread across 163 countries that ran for 16 years - SocksEscort proxy network eliminated in joint operation with Europol | Tom's Hardware
tomshardware.com
Open sourceInternational operation dismantles SocksEscort botnet used for large-scale fraud | brief | SC Media
scworld.com
Open sourceEuropol and international partners disrupt ‘SocksEscort’ proxy service - Joint operation targeted malicious proxy service exploiting residential routers worldwide | Europol
europol.europa.eu
Open sourceUS, Europol disrupt SocksEscort network that exploited thousands of residential routers | The Record from Recorded Future News
therecord.media
Open sourceSocksEscort fraud-enabling proxy service taken down • The Register
go.theregister.com
Open sourceEuropol and international partners disrupt ‘SocksEscort’ proxy service - Joint operation targeted malicious proxy service exploiting residential routers worldwide | Europol - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Dutch Police Takedown Hits 17 Million-Device Botnet Linked to Proxy Abuse
Dutch police and the Netherlands’ National Cyber Security Center disrupted a botnet spanning roughly **17 million infected devices** by taking offline about **200 servers** hosted in the Netherlands. Authorities said the network included compromised computers, mobile phones, IoT devices, and routers, and that the investigation began after a security researcher alerted NCSC-NL. While officials did not publicly name the botnet, reporting tied the infrastructure to **Asocks**, a commercial residential and mobile proxy service, and to prior research on covert proxy enrollment through the **PROXYLIB** library and **LumiApps SDK** ecosystem. The takedown highlights growing abuse of **residential proxy networks**, which can mask malicious traffic behind trusted consumer IP addresses and support operations including **DDoS attacks, spam, credential stuffing, brute-force attacks, click fraud, SMS pumping, phishing, online fraud, and malware delivery**. The action follows broader Dutch enforcement against malicious infrastructure, including the seizure of more than **800 servers** tied to **THE.Hosting**, a Russian-linked bulletproof hosting network associated with scanning, botnet recruitment, cryptomining, credential theft, and exploitation of exposed services; researchers said that operation had limited effect because much of the network’s routed infrastructure remained active across multiple countries.
Jun 1, 2026
FBI Dismantles 911 S5 Residential Proxy Botnet and Arrests Alleged Operator
U.S. authorities disrupted the **911 S5** residential proxy service, a botnet-backed platform that allegedly compromised millions of Windows devices and sold their IP addresses as proxies to cybercriminals. The FBI and international partners seized infrastructure tied to the service, while prosecutors charged and arrested the alleged administrator, identified as Chinese national YunHe Wang. According to investigators, the service enabled fraud, bomb threats, child exploitation, harassment, and large-scale financial crime by letting users route malicious traffic through unsuspecting victims’ home internet connections. The FBI’s IC3 warned that infected devices were commonly enrolled through VPN or pirated software bundles and urged users to scan for malware, remove suspicious applications, and reinstall operating systems if needed. The operation follows a broader U.S. strategy of court-authorized botnet disruption previously used against state-linked infrastructure, including the 2018 takedown of the **APT28** router botnet, underscoring continued law-enforcement use of technical and legal measures to seize command infrastructure and cut off criminal proxy networks.
May 25, 2026
Operation PowerOFF disrupts DDoS-for-hire platforms and arrests administrators
An international law enforcement campaign under **Operation PowerOFF** has repeatedly dismantled major **DDoS-for-hire** or **booter/stresser** services, seizing domains and infrastructure, arresting alleged administrators, and targeting customers across dozens of countries. In one major phase, authorities shut down **48 services** and arrested **seven** suspected operators after U.S. charges tied defendants to platforms including `Booter.sx`, `Astrostress.com`, and `SecurityTeam.io`; officials said one seized service alone had been used in more than **30 million attacks**. A later coordinated action involving the United States and about **20 partner countries** seized **53 domains**, made **four arrests**, executed **25 search warrants**, and sent more than **75,000 warning messages** to users, while also removing more than **100 URLs** advertising booter sites. The crackdown builds on earlier takedowns such as the seizure of **Webstresser.org**, which Europol described as the world’s largest DDoS-for-hire marketplace, with more than **136,000 registered users** and **4 million attacks** recorded before it was dismantled. Investigators said these services marketed themselves as legitimate network testing tools but were used to launch attacks against **schools, government agencies, gaming platforms, critical infrastructure, Department of Defense resources, businesses, and individuals**, often for as little as **EUR 15 per month**. Authorities also expanded disruption efforts beyond arrests and seizures by placing warning ads in search results and reaching users through cryptocurrency payment channels, underscoring a sustained multinational effort to raise the cost of operating and buying low-barrier DDoS attack services.
May 25, 2026