A coordinated international law enforcement operation has dismantled SocksEscort (socksescort.com), a large proxy service that routed cybercriminal traffic through thousands of compromised home and small business routers around the world.
The seizure, announced by the FBI and the US Department of Justice (DOJ), resulted in the seizure of dozens of internet domains and servers, along with the freezing of millions of dollars in cryptocurrency linked to the operation.
SocksEscort functioned like any other proxy service online, where customers paid to route their internet traffic through remote IP addresses. However, investigators say the infrastructure behind the service relied on malware that infected residential routers, turning them into tools for cybercrime without their owners’ knowledge.
According to the DoJ’s press release, the service deployed backdoors on routers used in homes and small businesses. Once infected, those devices could relay internet traffic on behalf of SocksEscort customers. That traffic masking allowed criminals to hide their real location and identity while carrying out financial fraud and account intrusions.
Since mid-2020, the service had advertised access to roughly 369,000 IP addresses worldwide. By February 2026, the SocksEscort application listed around 8,000 actively infected routers, with about 2,500 located in the United States.
Authorities also say access to these compromised routers was used in several fraud schemes. These included cyber criminals routing their activity through the hijacked connections to bypass fraud detection systems and disguise their origin. The method enabled attacks, including bank and cryptocurrency account takeovers, as well as fraudulent unemployment insurance claims.
Worse, unsuspected victims in the US suffered major financial losses. Authorities cited one case involving a New York cryptocurrency exchange customer who lost $1 million in digital assets, while a Pennsylvania manufacturing company was defrauded of $700,000. In another case, current and former US service members using MILITARY STAR credit cards lost roughly $100,000 through fraudulent transactions.
According to Europol’s press release, law enforcement agencies led by Europol, Eurojust in Austria, France, and the Netherlands played a central role in seizing servers connected to the network. Investigators also received support from cybercrime authorities in Bulgaria, Germany, Hungary, and Romania.
Cybersecurity experts say the operation highlights the growing role of compromised consumer devices in organized cybercrime. Home networking devices often run outdated software and rarely receive security monitoring, which makes them a lucrative target for attackers looking to build a botnet of large proxy networks.
According to Riley Kilmer, co-Founder of Denver-based Spur Intelligence Corporation, the risks linked to residential proxy networks extend far beyond infected home routers. Data from Spur shows the same type of vulnerable proxy exposure appearing inside trusted environments across critical sectors.
In a Feb. 12 snapshot, the company observed active exposure across 671 government entities, 263 energy and utility organizations, and nearly 1,900 education environments, part of Spur’s broader monitoring of more than 167 million IP addresses over a 90-day period linked to vulnerable proxy services. Kilmer said the underlying reason these networks remain effective is that they are difficult to detect in normal traffic patterns.
“Residential proxies are effective because they let bad actors blend into normal internet traffic. A lot of security teams know how to look for suspicious infrastructure. It gets harder when the traffic comes through real residential connections that appear legitimate on the surface. What we’ve seen is that this issue doesn’t stop with consumer devices. The same ecosystem continues to create exposure inside enterprise and public sector environments, even after major disruption efforts,” he pointed out.
Nevertheless, with the domains seized and key infrastructure removed, authorities believe the disruption will weaken SocksEscort’s ability to operate. Investigators continue to analyze seized servers and financial records as they work to identify additional suspects and victims connected to the network.
Waqas
