Authorities dismantle SocksEscort proxy network behind millions in fraud

SocksEscort, a residential proxy network used to exploit thousands of compromised home routers worldwide and facilitate large-scale fraud that cost victims millions of dollars, has been disrupted in an international law enforcement operation led by the U.S. Department of Justice.

The domain seizure notice

Law enforcement agencies seized 34 domains and 23 servers located in seven countries during the operation, Europol said. U.S. authorities also froze about $3.5 million in cryptocurrency linked to the network.

The infected routers used to provide the proxy service have been disconnected, and officials plan to notify affected countries about the compromised devices to support further investigations.

Investigators say SocksEscort infected home and small business routers with malware that routed internet traffic through the compromised devices and sold that access to customers. Cybercriminals then used the proxy access to conceal their true IP addresses and locations, enabling fraud schemes such as takeovers of U.S. bank and cryptocurrency accounts and fraudulent unemployment insurance claims.

One victim, a New York resident who used a cryptocurrency exchange, lost about $1 million in cryptocurrency to the scheme.

Since the summer of 2020, SocksEscort has offered access to about 369,000 different IP addresses, and by February 2026 the service listed about 8,000 infected routers available to customers, including 2,500 located in the United States, according to the U.S. Department of Justice.

“Proxy services like ‘SocksEscort’ provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection. By dismantling this infrastructure, law enforcement has disrupted a service that enabled cybercrime on a global scale,” noted Catherine De Bolle, Executive Director of Europol.

Researchers from Black Lotus Labs and the Shadowserver Foundation assisted with the investigation.