US and European authorities disrupt socksEscort proxy service tied to AVrecon botnet

Authorities in the US and Europe disrupted the SocksEscort proxy service, which used the AVrecon botnet and infected about 360,000 devices since 2020.

Law enforcement agencies in the US and Europe have disrupted SocksEscort, a malicious proxy service powered by the AVrecon botnet. Active since 2020, the service hijacked roughly 360,000 devices and allowed cybercriminals to route traffic through compromised systems to support illegal activities.

On March 11, 2026, Europol and partners from the US and several European countries launched Operation Lightning against the SocksEscort. The service had compromised more than 369,000 routers and IoT devices across 163 countries, providing over 35,000 proxies to customers. Authorities seized 34 domains and 23 servers in seven countries and froze $3.5 million in cryptocurrency while disconnecting infected devices from the network.

An investigation led by Europol found a botnet of infected devices, mainly residential routers exploited through vulnerabilities. The network supported cybercrime activities such as ransomware operations, DDoS attacks, and the distribution of child sexual abuse material.

“The compromised devices were infected through a vulnerability in the residential modems of a specific brand. Customers of the criminal service paid for licences to abuse these infected devices, hiding their original IP addresses to engage in various criminal activities.” reads the press release published by Europol. “To protect against such exploits, users, and vendors are advised to update the firmware of their devices regularly.”

The SocksEscort platform sold access to compromised IP addresses from infected routers and modems worldwide, allowing criminals to hide their identity online. Victims were unaware their devices were abused for illicit activity. According to Europol, customers paid anonymously with cryptocurrency, generating over €5 million in revenue.

“Cybercrime thrives on anonymity. Proxy services like ‘SocksEscort’ provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection. By dismantling this infrastructure, law enforcement has disrupted a service that enabled cybercrime on a global scale.” said Catherine De Bolle, the Europol Executive Director. “Operations like this show that when investigators connect the dots internationally, the infrastructure behind cybercrime can be exposed and shut down.”

The US DoJ confirmed also wrote that crooks used the SocksEscort network to hide their real IP addresses and locations while carrying out fraud, including bank and cryptocurrency account takeovers and fake unemployment claims in the U.S. Victims lost millions, including $1M from a crypto investor and $700K from a manufacturing firm. Authorities from Austria, France, and the Netherlands helped dismantle the infrastructure.

“According to court documents, SocksEscort infected home and small business internet routers with malware. The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers. Since the summer of 2020, SocksEscort has offered to sell access to about 369,000 different IP addresses.” states the DoJ. “As of February 2026, the SocksEscort application listed approximately 8,000 infected routers to which its customers could buy access, of those, 2,500 were in the United States.”

In July 2023, Lumen Black Lotus Labs uncovered a long-running hacking campaign targeting SOHO routers with a strain of malware dubbed AVrecon. The malware was spotted for the first time in May 2021, but has been operating under the radar for more than two years.

“Lumen Black Lotus Labs identified another multi-year campaign involving compromised routers across the globe. This is a complex operation that infects small-office/home-office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT) we’ve dubbed “AVrecon.”” reads the analysis published by Lumen.

Threat actors behind the campaign aimed at building a botnet to use for a range of criminal activities, from password spraying to digital advertising fraud.

The AVrecon malware was written in C to ensure portability and designed to target ARM-embedded devices. The experts discovered that the malicious code had been compiled for different architectures.

Black Lotus Labs announced it had partnered with the Department of Justice in taking down the proxy network known.

“This botnet posed a significant threat, as it was marketed exclusively to criminals and composed solely of compromised edge devices. Over the past several years, SocksEscort maintained an average size of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes (C2s).” Lumen experts wrote on LinkedIn.

More than half of the victims were located in the United States and the United Kingdom, allowing attackers to conduct highly targeted operations and increasing the risks associated with the SocksEscort proxy network.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, AVrecon botnet)