Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network that relied solely on edge devices compromised via the AVRecon malware for Linux.

According to Lumen’s Black Lotus Labs (BLL), which helped the U.S. Department of Justice take down Socksescort, the proxy network had a constant average of 20,000 infected devices every week for the past few years.

SocksEscort was first documented by BLL researchers in 2023 and functioned for more than a decade by offering cybercriminals traffic routing services through residential or small business devices.

The service advertised access to “clean” IP addresses from major ISPs - such as Comcast, Spectrum, Spectrum Business, Verizon, and Charter - that could pass multiple blocklists.

"Since the summer of 2020, SocksEscort has offered to sell access to about 369,000 different IP addresses," the U.S. Department of Justice says in a press release today.

"As of February 2026, the SocksEscort application listed approximately 8,000 infected routers to which its customers could buy access, of those, 2,500 were in the United States."

The DOJ says that the SocksEscort service was used in the theft of $1 million worth of cryptocurrency from a user in New York, enabled losses of $700,000 from defrauding a Pennsylvania-based manufacturing business, and caused $100,000 in damages in a fraud impacting current and former United States service members with MILITARY STAR cards.

In Europe, authorities in Austria, France, and the Netherlands, took down multiple SocksEscort servers under the coordination of Europol.

"During the action day, law enforcement agencies successfully took down and seized 34 domains as well as 23 servers located in seven countries," the European agency informs. The US also froze $3.5 million in cryptocurrency.

Currently, all infected devices used in the SocksEscort proxy network have been disconnected from the service.

According to the Lumen researchers, SocksEscort was powered by the AVRecon malware, which is believed to have been active since at least May 2021 and infected over 70,000 Linux-based small office/home office (SOHO) routers by mid-2023.

Lumen researchers disrupted the AVRecon router botnet in 2023 by null-routing the command-and-control (C2) infrastructure across its network, cutting infected devices off from their operators.

This severed communications with the botnet’s proxy servers and control nodes, effectively rendering the network inert within Lumen’s infrastructure.

However, this disruption had a limited effect, and over time, the operators of Socksescort returned to regular operations, routing communications through 15 command-and-control nodes (C2s).

A Lumen spokesperson told BleepingComputer that SocksEscort used only the AVRecon malware to add new nodes. Since the beginning of 2025, the company has seen 280,000 unique victim IP addresses.

The researchers believe that the AVRecon malware was used only for growing SocksEscort, as observed victim IPs were not seen in other botnets or services. Also, despite the significant size of the operation, the operators managed to keep the C2 infrastructure undetected.

Over half of the infected devices were located in the United States and the United Kingdom, according to the researchers, which is excellent for routing malicious traffic and evading blocklists.

Earlier this week, Black Lotus Labs revealed another proxying botnet called KadNap that targets ASUS routers and other edge networking devices primarily.

Since August 2025, the botnet has infected 14,000 devices, using a novel but flawed communication and peer discovery mechanism based on the Kademlia Distributed Hash Table (DHT) protocol.

Lumen took limited action against that botnet by blocking all network traffic to and from its C2 infrastructure on the Lumen network, preventing infected devices from communicating with the botnet controllers.

To minimize the likelihood of router compromise, replace models that have reached end-of-life, apply the latest available firmware updates, change the default administrator password, and disable remote access panels if not needed.