A coordinated international law enforcement operation has dismantled SocksEscort, a large malicious proxy service that enabled cybercriminals to hide their identities while carrying out fraud, ransomware attacks and other online crimes. The operation, codenamed Operation Lightning, targeted infrastructure spread across multiple countries and led to the seizure of dozens of domains and servers used to run the network.
Authorities said the proxy service relied on malware that infected home and small-business routers, silently turning them into part of a vast botnet that routed internet traffic for paying customers. By channelling activity through legitimate residential internet connections, criminals could disguise their true location and bypass many security systems designed to detect suspicious traffic.
Operation Lightning involved law enforcement agencies from the United States and several European countries including Austria, Bulgaria, France, Germany, Hungary, the Netherlands and Romania. Investigators seized 34 internet domains and shut down 23 servers located in seven countries that supported the operation’s infrastructure. Authorities also froze approximately $3.5 million in cryptocurrency linked to the network’s activities.
Investigators said the SocksEscort platform had offered access to hundreds of thousands of compromised internet addresses worldwide since 2020. Data from the investigation indicated that the service provided access to about 369,000 IP addresses across 163 countries during its operation. By early 2026 the network still maintained access to about 8,000 infected routers, including thousands located in the United States.
The service marketed itself as a residential proxy provider offering static IP addresses and large volumes of bandwidth. Customers could purchase packages that allowed them to route internet traffic through the hijacked devices, masking the origin of malicious activity. Security analysts note that such proxy networks are widely used in cybercrime because traffic routed through residential connections appears legitimate to many online services and fraud detection systems.
According to investigators, criminals exploited the infrastructure for a wide range of offences including identity theft, financial fraud, distributed denial-of-service attacks and ransomware operations. Authorities linked the network to cases involving significant financial losses. One victim using a cryptocurrency exchange reportedly lost about $1 million in digital assets, while a manufacturing company in Pennsylvania lost roughly $700,000 through fraudulent transactions. Financial data belonging to service members using Military Star cards was also targeted in separate schemes.
Technical analysis tied the operation to a malware strain known as AVrecon. The malicious software exploited vulnerabilities in small-office and home-office routers and other connected devices, allowing operators to remotely control them and redirect internet traffic. Cybersecurity researchers described the botnet as one of the largest networks targeting routers used by individuals and small organisations.
Investigators said the malware exploited known security flaws in devices from multiple networking hardware manufacturers. Once infected, routers could be controlled through command-and-control servers that directed traffic through the compromised systems. This arrangement effectively turned ordinary household internet equipment into anonymous relay points for criminal operations without the knowledge of device owners.
The takedown effort involved close cooperation between law enforcement and cybersecurity researchers in the private sector. Organisations including Lumen Technologies’ Black Lotus Labs and the Shadowserver Foundation helped track the botnet infrastructure and identify infected devices, enabling investigators to map the network and coordinate the disruption effort.
Officials said proxy networks such as SocksEscort play a central role in the modern cybercrime economy by providing anonymity to criminals who carry out online attacks. By routing malicious traffic through compromised residential connections, attackers can blend their activity with normal internet usage and avoid many forms of detection. Investigators say dismantling such infrastructure can significantly disrupt the ecosystem supporting cybercrime.
Authorities indicated that the investigation remains active and may lead to additional prosecutions. Data recovered from the seized servers is expected to help identify individuals who operated the network as well as customers who used the service to conduct fraudulent schemes. Investigators also plan to notify internet service providers and affected countries so that compromised routers can be cleaned or replaced, reducing the risk that the botnet could be rebuilt.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
