Europol and DOJ Freeze $3.4–$3.5M, Dismantle SocksEscort Proxy Network That Compromised 369,000 Devices

On March 11, 2026 law enforcement agencies led by Europol and the U.S. Department of Justice executed a coordinated takedown — described by Europol as “Operation Lightning” — that dismantled the SocksEscort malicious proxy service and froze roughly $3.5 million in cryptocurrency tied to the operation.

“Law enforcement agencies in the U”

Bleeping Computer

Europol framed the action as an international disruption of a global cybercrime infrastructure, and U.S. authorities highlighted the criminal uses the service enabled.

Bleeping Computer

The seizure and freezing actions were announced alongside the shutdown of domains and servers used to run the service.

Authorities said the SocksEscort platform had offered criminal customers access to a massive pool of compromised home and small-business devices: courts and investigators describe roughly 369,000 IP addresses marketed since mid-2020,

more than 35,000 proxy endpoints advertised over recent years,

Blockonomi

and an application that still listed about 8,000 actively infected routers as of February 2026 — approximately 2,500 of which were located in the United States.

Europol and U.S. prosecutors emphasized the global reach across 163 countries.

Technical investigators and private research partners traced the service’s growth to router-targeting malware and long-running botnet activity,

“US and European authorities said Thursday they had disrupted SocksEscort, a malicious proxy service used by cybercriminals to hide their identities while carrying out fraud, including cryptocurrency account takeovers”

Cointelegraph

but sources differ on the malware’s earliest activity window.

Multiple outlets and forensic teams point to AVRecon or similar Linux router malware as the tool that turned residential and SOHO routers into proxy nodes;

Lumen/Black Lotus Labs tracked persistent weekly averages of infected devices and assisted the DOJ,

while some reporting dates AVRecon activity to mid-2021 and other accounts suggest infections as early as 2019.

The joint investigation led to the disconnection of infected routers and the identification of command-and-control infrastructure.

Prosecutors and law enforcement described a wide range of criminal uses for the compromised proxies: the service was alleged to have enabled bank and cryptocurrency account takeovers, fraudulent unemployment claims, ransomware and DDoS operations, and even the distribution of child sexual abuse material.

Authorities cited several concrete losses tied to the infrastructure — including a New York crypto exchange customer who lost about $1 million,

Cryptoast

a Pennsylvania manufacturer allegedly defrauded of $700,000,

and roughly $100,000 lost by current and former U.S. service members — to illustrate the real-world financial harm facilitated by the proxy network.

Investigators reported seizure and disruption results but some details in public reporting vary.

“In brief - Europol and partners announced the disruption of the “SocksEscort” malicious proxy service and the freezing of $3”

Decrypt

Europol and several outlets said law enforcement seized 34 domains and 23 servers across seven countries and that U.S. authorities froze about $3.5 million in cryptocurrency,

Decrypt

while other local reporting cited different server counts (for example, one outlet wrote that investigators seized 24 servers, 10 of them in France).

Europol and Eurojust coordinated the cross-border operation with national partners in countries including France, Austria, the Netherlands and the United States,

and authorities said they planned to notify affected countries and disconnect compromised devices as part of follow-up investigations.

Investigators also flagged the platform’s payments history: the payment platform tied to SocksEscort reportedly received more than €5 million (about $5.7 million) from users, money that investigators traced and froze in part.