In a coordinated international law enforcement action dubbed Operation Lightning, the FBI and Europol have dismantled SocksEscort — one of the longest-running criminal proxy services on the internet. Since the summer of 2020, SocksEscort secretly infected home and small business routers with malware, then sold access to those compromised devices to cybercriminals who used them to hide their true identities while committing ransomware attacks, bank fraud, account takeovers, identity theft, and romance scams. The operation seized 34 domains and 23 servers across seven countries, froze $3.5 million in cryptocurrency, and disconnected all infected routers from the service. The FBI confirmed that SocksEscort had approximately 124,000 paying customers and is responsible for tens of millions of dollars in losses to businesses and consumers.
Affected products
- ·Routers and IoT devices from Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel — approximately 1,200 device models targeted by AVRecon malware
- ·Small office and home office routers running outdated or unpatched firmware
- ·Small office and home office routers running outdated or unpatched firmware
How to Fix
Step-by-step remediation
The infected routers have been disconnected from the SocksEscort service following the takedown, but the underlying AVRecon malware infection may still be present on some devices. The first step for any home or small business user is to update their router firmware immediately. Log into your router's admin panel, find the firmware update section, and install any available updates. If your router model has reached end-of-life and is no longer receiving updates from the manufacturer, replace it — this is not optional. A router that cannot receive security patches is a permanently open door. Change your router's default administrator credentials if you have not done so — AVRecon exploits default credentials and unpatched vulnerabilities as its primary infection methods. Disable remote management access on your router unless you have a specific need for it. For users who suspect their router may be infected, perform a full factory reset, then immediately update the firmware and change all credentials before reconnecting to the internet. The FBI has published guidance and indicators of compromise for AVRecon that IT teams can use to check for infections on managed networks.
What happened
SocksEscort operated as a residential proxy service — meaning it sold access to real home and business internet connections rather than obvious data center IP addresses. This made it extremely effective for criminals because traffic routed through a compromised home router looks like ordinary residential internet activity to banks, fraud detection systems, and security tools. The service listed nearly 8,000 infected routers available for purchase as of February 2026, with 2,500 of those located in the United States. A package of 30 proxies cost $15 per month and a package of 5,000 proxies cost $200 per month — cheap enough for large-scale criminal operations. The botnet was powered by a malware strain called AVRecon, which has been active since at least May 2021 and targets approximately 1,200 router and IoT device models from manufacturers including Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel. AVRecon primarily exploits critical vulnerabilities including remote code execution and command injection flaws in these devices. Beyond converting infected routers into proxies, AVRecon also establishes a remote shell to attacker-controlled servers and can download and execute additional malware payloads on the infected device.
Real-World Impact
The human cost of SocksEscort's operations is documented in specific cases. A cryptocurrency exchange customer in New York was defrauded of $1 million in cryptocurrency by criminals using SocksEscort to mask their location. A Pennsylvania manufacturing business lost $700,000 to fraud enabled by the service. Current and former US military service members with Military Star cards were defrauded of $100,000. These are just the documented cases connected to a single operation — the full scale of losses enabled by SocksEscort's 124,000 customers over six years of operation runs to tens of millions of dollars. Beyond direct financial fraud, SocksEscort's infrastructure was used to facilitate ransomware attacks, advertising fraud, business email compromise, password spraying campaigns, and the distribution of illegal content. The botnet maintained an average of 20,000 distinct victim routers per week since early 2024, peaking at over 15,000 new victim devices per day in January 2025.
Technical Details
🛡️ Prevention Tips
Your home router is the gateway to everything connected to your network — your computers, phones, smart TVs, and any IoT devices. Most people treat it as a set-and-forget appliance, checking it only when the internet stops working. SocksEscort exploited exactly that attitude for six years. Make router maintenance part of your regular security routine: check for firmware updates quarterly, verify your admin credentials are not default, and confirm that remote management is disabled. For small businesses, consider router models from manufacturers with stronger security track records and longer firmware support windows. Enterprise-grade routers from reputable vendors generally receive security patches much faster than consumer-grade equipment. The broader lesson from this takedown is that residential proxy botnets remain a persistent infrastructure threat — when SocksEscort is gone, another service will attempt to fill the same role. Keeping your router updated and secured is the only reliable defense.
FAQs
How do I know if my router was part of the SocksEscort botnet?
Signs that your router may have been compromised include unusually slow internet speeds, unexpected spikes in data usage, difficulty logging into the admin panel, or settings that appear to have changed on their own. The FBI has published indicators of compromise for AVRecon malware. If you have a router model from Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, or Zyxel and have not updated the firmware or changed default credentials in a long time, treat it as potentially at risk and follow the fix guide above.
The botnet has been taken down — does that mean I am safe now?
The SocksEscort service has been dismantled and infected routers have been disconnected from it. However, the AVRecon malware itself may still be present on your router and could be reactivated by a different criminal operation. Updating your firmware, changing credentials, and performing a factory reset are still important steps even after the takedown.
Why do criminals want access to my home router specifically?
Your home router has a residential IP address — one that belongs to a real household rather than a data center or VPN service. Banks, fraud detection systems, and security tools are far more likely to flag traffic coming from data center IPs than from residential ones. By routing criminal traffic through your compromised router, attackers make their fraud look like it is coming from an ordinary household, bypassing many fraud detection systems entirely.
Read Next
Apple Backports Security Fixes for Older iPhones Targeted by the Coruna Exploit Kit — Update Now If You Have an iPhone 6s Through iPhone X
masjesu · xorbot
Masjesu Botnet: The Stealthy DDoS-for-Hire Service Quietly Hijacking IoT Devices Since 2023 — Now Hitting 300 Gbps
phishing attack · email scam
Phishing Attack Explained: How Hackers Trick You Into Giving Personal Information
whatsapp hack · otp scam whatsapp
WhatsApp Account Hacking Scam: How Hackers Take Over Your Account Using OTP
otp scam · banking fraud