Authorities in the United States and Europe have shut down a major cybercrime proxy network known as SocksEscort during a coordinated international operation. The action targeted the infrastructure behind the service, which relied on malware-infected Linux devices to provide anonymous internet access for criminal activities. The operation was led by the U.S. Department of Justice with support from European law enforcement agencies and private-sector partners.
Investigators found that the network operated using malware called AVrecon, which infected vulnerable home and small business routers running Linux-based systems. Once compromised, these routers were quietly converted into proxy nodes that routed internet traffic for cybercriminals. The operators then sold access to these infected devices, allowing attackers to route malicious traffic through residential IP addresses and hide the origin of their activities. This tactic helped criminals bypass security systems that typically trust residential internet connections.
Authorities said the service had been operating since the summer of 2020 and provided users with access to about 369,000 IP addresses worldwide. By February 2026, around 8,000 infected routers were actively available on the platform, including roughly 2,500 located in the United States. Law enforcement agencies linked the proxy network to several fraud cases. One incident involved the theft of $1 million worth of cryptocurrency from a victim in New York. Another case involved a manufacturing company in Pennsylvania that lost $700,000 in a fraud scheme. Investigators also reported $100,000 in losses involving current and former U.S. service members using MILITARY STAR credit accounts.
The takedown required extensive international cooperation. Authorities seized 34 domains linked to the service and shut down 23 servers across 7 countries, disrupting the network’s core operations. Officials also froze approximately $3.5 million in cryptocurrency connected to the platform and disconnected infected devices from the proxy service. The operation involved agencies from the United States and law enforcement bodies in Austria, France and the Netherlands, coordinated through Europol. Officials said the action highlights the growing need for international collaboration to combat cybercrime infrastructure. They also urged organizations and device owners to strengthen security measures for routers and IoT devices to prevent malware infections that can turn them into nodes in criminal proxy networks.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
