An international law enforcement operation led by the U.S. Justice Department has successfully dismantled SocksEscort, a massive residential proxy network.

The malicious service compromised thousands of home and small business routers worldwide, enabling cybercriminals to mask their identities while executing large-scale financial fraud.

The coordinated takedown resulted in the seizure of dozens of U.S.-registered internet domains and the dismantling of server infrastructure across multiple countries.

How the SocksEscort Network Operated

According to unsealed court documents, the SocksEscort infrastructure relied on deploying malware directly onto vulnerable internet routers.

Once infected, these devices were quietly transformed into nodes within a massive proxy network. The operators behind SocksEscort then sold this access to other cybercriminals.

By routing their malicious traffic through compromised home and business networks, attackers could hide their true originating IP addresses and physical locations.

Because residential IP addresses generally have high trust reputations, this tactic enabled attackers to bypass standard geographic blocking and security filters easily.

The scale of the operation was extensive:

• Since the summer of 2020, SocksEscort has offered its customers access to approximately 369,000 unique IP addresses.
• In February 2026 alone, the platform’s application actively listed roughly 8,000 infected routers for sale.
• Approximately 2,500 of those actively compromised devices were located within the United States.

The anonymity provided by SocksEscort fueled severe cyber-enabled crimes, including bank account takeovers, fraudulent unemployment insurance claims, and large-scale cryptocurrency theft.

The financial toll on American citizens and businesses reached into the millions.

Notable incidents linked to the proxy network include:

• A New York resident who lost $1 million in a cryptocurrency exchange account takeover.
• A Pennsylvania manufacturing business was defrauded of $700,000.
• Current and former U.S. military personnel who had $100,000 drained from their MILITARY STAR cards due to compromised cards.

Global Coordination and Takedown

Disrupting the botnet required extensive global teamwork. The U.S. government seized related domains, while law enforcement in Austria, France, and the Netherlands took down the physical servers that supported the SocksEscort network.

The FBI Sacramento Field Office, the IRS Criminal Investigation unit, and the Department of Defense spearheaded the investigation.

It also involved heavy collaboration with Europol, Eurojust, and authorities across Germany, Bulgaria, Hungary, and Romania.

Private sector researchers from Lumen’s Black Lotus Labs and the Shadowserver Foundation provided crucial threat intelligence to support the takedown.

According to court documents, experts recommend mitigation steps to prevent networks from being recruited into SocksEscort proxy botnets.

• Regularly update router firmware to patch newly discovered vulnerabilities.
• Change all default administrative passwords to strong, unique credentials.
• Disable remote management interfaces on consumer routers to block external access from the public internet.
• Monitor network traffic for unusual outbound connections or unexplained bandwidth spikes.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.