Close Menu
    What's Hot

    OpenAI’s first device could be a screenless smart speaker. It has plenty of competition

    Russia Targets Critical Ukrainian Infrastructure in the Black Sea

    A British diplomat with a diplomatic answer – Live Updates

    Facebook X (Twitter) Instagram
    Trending
    • OpenAI’s first device could be a screenless smart speaker. It has plenty of competition
    • Russia Targets Critical Ukrainian Infrastructure in the Black Sea
    • A British diplomat with a diplomatic answer – Live Updates
    • U.S. Military Forces Again Blockade Iranian Ports
    • U.S. and Iran Trade Strikes With No Sign of Backing Down
    • Gathering of Latino-American politicians shows little love for Argentina – Live Updates
    • Billboard in Iran’s Capital Depicts Trump in a Coffin
    • Tesla driver in fatal Texas crash pressed accelerator 100%, NTSB confirms
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries

    adminBy adminMarch 13, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries

    A court-authorized international law enforcement operation has dismantled a criminal proxy service named SocksEscort that enslaved thousands of residential routers worldwide into a botnet for committing large-scale fraud.

    “SocksEscort infected home and small business internet routers with malware,” the U.S. Department of Justice (DoJ) said. “The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers.”

    SocksEscort (“socksescort[.]com”) is said to have offered to sell access to about 369,000 different IP addresses in 163 countries since the summer of 2020, with the service listing nearly 8,000 infected routers as of February 2026. Of these, 2,500 were located in the U.S.

    As of December 2025, SocksEscort’s website claimed to offer “static residential IPs with unlimited bandwidth” and that they can bypass spam blocklists. It advertised over 35,900 proxies from 102 countries, with a set of 30 proxies costing $15 per month. A package for 5,000 proxies costed $200 a month.

    Cybersecurity

    The end goal of services like SocksEscort is to enable paying customers to tunnel internet traffic through compromised devices without the victim’s knowledge, offering them a way to blend in and make it harder to differentiate malicious traffic from legitimate activity by concealing their true IP addresses and locations.

    Some of the victims who were defrauded as part of schemes carried out using SocksEscort included a customer of a cryptocurrency exchange who lived in New York and was defrauded of $1 million worth of cryptocurrency; a manufacturing business in Pennsylvania that was defrauded of $700,000; and current and former U.S. service members with MILITARY STAR cards who were defrauded out of $100,000.

    In a coordinated announcement, Europol said the effort, codenamed Operation Lightning, involved authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the U.S. The disruption exercise has resulted in the takedown of 34 domains and 23 servers located in seven countries. A total of $3.5 million in cryptocurrency has been frozen. 

    “These devices, primarily residential routers, were exploited to facilitate various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM),” Europol said. “The compromised devices were infected through a vulnerability in the residential modems of a specific brand.”

    “To get access to the proxy service, customers had to use a payment platform that made it possible to anonymously purchase the service using cryptocurrency. It is estimated that this payment platform received more than EUR 5 million from proxy service customers.”

    SocksEscort was powered by a malware known as AVrecon, details of which were publicly documented by Lumen Black Lotus Labs in July 2023. However, it’s assessed to be active since at least May 2021. The proxy service is estimated to have victimized 280,000 distinct IP addresses beginning in early 2025.

    In addition to turning an infected device into a SocksEscort residential proxy, AVrecon is equipped to establish a remote shell to an attacker-controlled server and act as a loader by downloading and executing arbitrary payloads. The malware targets approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, Mikrotik, Netgear, TP-Link, and Zyxel.

    Cybersecurity

    “The vast majority of observed devices infected with AVrecon malware are small-office/home-office (SOHO) routers infected using critical vulnerabilities such as Remote Code Execution (RCE) and command injection,” the U.S. Federal Bureau of Investigation said in an alert. “AVrecon malware is written in the C language and primarily targets MIPS and ARM devices.”

    To achieve persistence, the threat actors have been observed using the device’s built-in update mechanism to flash a custom firmware image containing a copy of AVrecon, which is hard-coded to execute it on device startup. The modified firmware also disables the device’s update and flashing features, thereby causing the devices to be permanently infected.

    “This botnet posed a significant threat, as it was marketed exclusively to criminals and composed solely of compromised edge devices,” the Black Lotus Labs team said. “Over the past several years, SocksEscort maintained an average size of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes (C2s).”

    authorities Botnet countries Disrupt exploiting IPs Proxy SocksEscort
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleMomentum wins News24’s Medical Scheme of the Year – again
    Next Article Wonderful raises $150M Series B at $2B valuation
    admin
    • Website

    Related Posts

    TuxBot v3 Evolution Shows Signs of LLM-Assisted IoT Botnet Development

    July 15, 2026

    OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps

    July 15, 2026

    SASE Has An AI Blind Spot. Inspecting Packets Is No Longer Enough.

    July 15, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    OpenAI’s first device could be a screenless smart speaker. It has plenty of competition

    Russia Targets Critical Ukrainian Infrastructure in the Black Sea

    A British diplomat with a diplomatic answer – Live Updates

    U.S. Military Forces Again Blockade Iranian Ports

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by