TLDR
- Authorities dismantle SocksEscort, seizing 34 domains and 23 servers worldwide.
- Over 369,000 routers in 163 countries were infected by the criminal network.
- $3.5M in crypto frozen as cybercriminal IP masking operation ends.
- Malware AVRecon powered SocksEscort, enabling fraud, ransomware, and DDoS attacks.
- Global effort highlights international collaboration against cybercrime networks.
Europol and U.S. authorities disrupted a global criminal network that used infected routers to mask IP addresses. The takedown targeted the SocksEscort proxy service, which compromised over 369,000 devices in 163 countries. The operation seized domains, servers, and froze $3.5 million in cryptocurrency, ending widespread criminal IP masking.
Law enforcement disconnected infected modems, effectively shutting down the service. The affected routers will be reported to their respective countries for further action. The coordinated effort marks a significant international achievement against cybercrime networks.
SocksEscort allowed criminals to hide locations while committing fraud, ransomware, and other digital crimes. The service offered over 35,000 proxies to customers who paid for illegal access. Authorities say criminal IP masking through this network facilitated large-scale attacks and financial theft.
Global Scope of Criminal IP Masking Revealed
Investigators traced SocksEscort activity across 163 countries, affecting both home and small business routers. The malware routed internet traffic through infected devices, masking the original IP addresses. Law enforcement identified thousands of U.S. and U.K.-based victims, highlighting the network’s global reach.
Cybercriminals used the network to access bank and cryptocurrency accounts, as well as file fraudulent claims. Authorities confirmed that one U.S. victim lost approximately $1 million in cryptocurrency due to these attacks. The criminal IP masking operation reportedly began in 2020 and expanded rapidly.
By February 2026, SocksEscort offered 8,000 infected routers, including 2,500 in the United States. Black Lotus Labs tracked the botnet, identifying malware called AVRecon powering the network. This criminal IP masking service posed a high threat to digital security worldwide.
Law Enforcement Takedown and Ongoing Investigations
Europol and DOJ led a coordinated operation, seizing 34 domains and 23 servers across seven countries. U.S. authorities froze $3.5 million in cryptocurrency connected to SocksEscort transactions. The infected devices were disconnected, removing the criminal IP masking infrastructure from active use.
Authorities are notifying affected countries to support ongoing investigations and potential legal actions. The operation demonstrates the effectiveness of international collaboration in dismantling cybercrime networks. Criminal IP masking using compromised routers will now be significantly disrupted, limiting future attacks.
SocksEscort primarily targeted small-office and home-office routers, allowing criminals to conduct highly targeted fraud schemes. Law enforcement confirmed that the proxy service enabled ransomware distribution, DDoS attacks, and illegal content sharing. The shutdown of SocksEscort ends one of the largest criminal IP masking operations in recent history.
