CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SocksEscort Proxy Network Disrupted by Law Enforcement

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. This network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The SocksEscort network had an average of 20,000 infected devices weekly and was used in several high-value fraud cases, including the theft of $1 million in cryptocurrency and losses of $700,000 from a Pennsylvania-based manufacturing business. The network offered access to about 369,000 different IP addresses in 163 countries since summer 2020, with the service listing nearly 8,000 infected routers as of February 2026. The compromised devices were infected through a vulnerability in the residential modems of a specific brand. International law enforcement partners executed Operation Lightning to dismantle the SocksEscort proxy service, which compromised over 360,000 routers and IoT devices in 163 countries since 2020. The operation involved seizing 34 domains and 23 servers in seven countries, freezing $3.5 million in cryptocurrency, and disconnecting all infected devices. The malware enabled various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM). The payment platform for SocksEscort received almost $6 million from proxy service customers.

Timeline

  1. 12.03.2026 18:19 3 articles · 1d ago

    Law Enforcement Disrupts SocksEscort Proxy Network

    Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. The network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The AVRecon malware, which powered SocksEscort, was believed to have been active since at least May 2021 and infected over 70,000 Linux-based SOHO routers by mid-2023. Despite previous disruptions, the operators of SocksEscort returned to regular operations, routing communications through 15 command-and-control nodes (C2s). SocksEscort offered access to about 369,000 different IP addresses in 163 countries since summer 2020. As of December 2025, SocksEscort's website claimed to offer 'static residential IPs with unlimited bandwidth' and advertised over 35,900 proxies from 102 countries. The compromised devices were infected through a vulnerability in the residential modems of a specific brand. International law enforcement partners executed Operation Lightning to dismantle the SocksEscort proxy service, which compromised over 360,000 routers and IoT devices in 163 countries since 2020. The operation involved seizing 34 domains and 23 servers in seven countries, freezing $3.5 million in cryptocurrency, and disconnecting all infected devices. The malware enabled various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM). The payment platform for SocksEscort received almost $6 million from proxy service customers.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Europol Disrupts $55m in Cryptocurrency Linked to Online Piracy

A coordinated operation led by Europol, the European Union Intellectual Property Office, and Spain’s National Police targeted online intellectual property violations. The operation identified 69 sites, traced $55m in cryptocurrency flows, and disrupted 25 illicit IPTV services by collaborating with crypto service providers. The initiative also emphasized the growing use of cryptocurrency by criminals and the importance of international cooperation in combating digital piracy.

Open in new tab

International Law Enforcement Disrupts Rhadamanthys, VenomRAT, and Elysium Malware Operations

Law enforcement agencies from 11 countries, coordinated by Europol and Eurojust, disrupted operations of Rhadamanthys infostealer, VenomRAT, and Elysium botnet malware as part of Operation Endgame 3.0. The action, which occurred between November 10 and 13, 2025, involved seizing over 1,000 servers and 20 domains, arresting a key suspect in Greece, and uncovering millions of stolen credentials. The operation also involved multiple private cybersecurity partners. The dismantled infrastructure included hundreds of thousands of infected computers, with the main suspect behind Rhadamanthys having access to over 100,000 crypto wallets worth millions of euros. Victims were often unaware of their systems' infections. The latest version of Rhadamanthys added support for collecting device and web browser fingerprints, along with incorporating several mechanisms to fly under the radar. Additionally, the Dutch police seized around 250 physical servers and thousands of virtual servers used by a bulletproof hosting service, which has been involved in over 80 cybercrime investigations since 2022. The seized servers were located in data centers in The Hague and Zoetermeer.

Open in new tab

International Law Enforcement Dismantles Credit Card Fraud Networks

International authorities have dismantled three large-scale credit card fraud and money laundering networks in Operation Chargeback. The operation targeted 44 suspects, including American, Austrian, Canadian, Danish, Dutch, German, and Lithuanian nationals, and resulted in the arrest of 18 individuals. The fraud networks affected over 4.3 million cardholders across 193 countries, causing losses exceeding €300 million. The operation involved over 60 searches and the execution of 18 arrest warrants. The fraudsters created over 19 million fake online subscriptions for services like pornography, dating, and streaming. They disguised monthly charges of about €50 to avoid detection. The operation was led by the Cybercrime Department of the General Prosecutor’s Office in Koblenz and the German Federal Criminal Police Office, supported by Europol and Eurojust. Authorities seized assets worth over €35 million, including luxury vehicles, cryptocurrency, and electronic devices. The suspects face accusations of organized computer fraud, membership in a criminal group, and money laundering. The fraudsters abused four major German payment service providers to launder proceeds, with six employees allegedly helping the fraudsters in exchange for fees. The suspects concealed their activities through numerous shell companies obtained through crime-as-a-service providers, primarily registered in the UK and Cyprus. The estimated attempted damages from the fraud schemes surpass €750 million (~$865 million).

Open in new tab

Large-scale Africa-wide cybercrime crackdown arrests over 1,200 suspects

Operation Serengeti 2.0, an INTERPOL-led international operation, resulted in the arrest of 1,209 cybercriminals across Africa. The operation targeted cross-border cybercrime gangs involved in ransomware, online scams, and business email compromise (BEC). The operation, conducted from June to August 2025, involved law enforcement from 18 African countries and the UK. Authorities seized $97.4 million and dismantled 11,432 malicious infrastructures linked to attacks on 88,000 victims worldwide. Following this, Operation Sentinel, conducted between October 27 and November 27, 2025, led to the arrest of 574 individuals and the recovery of $3 million linked to business email compromise, extortion, and ransomware incidents. The operation took down more than 6,000 malicious links and decrypted six distinct ransomware variants. The cybercrime cases investigated are connected to more than $21 million in financial losses. Most recently, Operation Red Card 2.0, conducted between December 8, 2025, and January 30, 2026, resulted in the arrest of 651 suspects and the recovery of over $4.3 million. The operation targeted investment fraud, mobile money scams, and fake loan applications, identifying 1,247 victims and seizing 2,341 devices and 1,442 malicious websites, domains, and servers. The operation involved law enforcement agencies from 16 African countries: Angola, Benin, Cameroon, Côte d'Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia, and Zimbabwe. The operations were supported by data from private sector partners, including Cybercrime Atlas, Fortinet, Group-IB, Kaspersky, The Shadowserver Foundation, Team Cymru, Trend Micro, TRM Labs, and Uppsala Security. Cybercrime now accounts for 30% of all reported crime in Western and Eastern Africa and is increasing rapidly elsewhere on the continent. Interpol's 2025 Africa Cyberthreat Assessment Report noted that two-thirds of African member countries claim cyber-related offenses now account for a 'medium-to-high' (i.e., 10-30% or 30%+) share of all crimes. Interpol director of cybercrime, Neal Jetton, warned that the scale and sophistication of cyber-attacks across Africa are accelerating, especially against critical sectors like finance and energy. Additionally, Operation Synergia III, conducted between July 2025 and January 2026, involved authorities from 72 countries. The operation resulted in 94 arrests and 110 suspects under investigation. Police in Togo arrested 10 suspects operating a fraud ring involving social media hacking, romance scams, and sextortion. Bangladeshi police arrested 40 suspects and seized 134 electronic devices related to loan scams, job scams, identity theft, and credit card fraud. Chinese investigators in Macau identified over 33,000 phishing and fraudulent websites impersonating casinos, banks, government sites, and payment services.

Open in new tab

UNC5518 Access-as-a-Service Campaign via ClickFix and Fake CAPTCHA Pages

Microsoft and Malwarebytes have disclosed a **DNS-based ClickFix variant** that marks the first documented use of the `nslookup` command to stage and deliver malicious payloads. This technique abuses DNS queries to retrieve a PowerShell script embedded in the `NAME:` field of a DNS response from an attacker-controlled server (**84[.]21.189[.]20**), which then deploys **ModeloRAT** via a Python runtime and VBScript persistence mechanism. The attack chain begins with fake CAPTCHA lures, followed by social engineering tactics (e.g., fake system alerts, browser crashes, or instructional videos) to coerce victims into executing the `nslookup` command, which downloads a ZIP archive containing the final payload. This evolution builds on earlier ClickFix tactics, including **ConsentFix** (Azure CLI OAuth abuse), **CrashFix** (malicious Chrome extensions triggering browser crashes), and **SyncAppvPublishingServer.vbs** (Google Calendar dead drops). The latest DNS-based approach demonstrates the campaign’s adaptability, leveraging **trusted native tools** (`nslookup`), **DNS as a C2 channel**, and **psychological manipulation** (urgency tactics) to bypass security controls. Concurrently, ClickFix campaigns continue to expand with **cross-platform targeting** (Windows/Linux/macOS), **AI platform abuse** (ChatGPT, Grok, Claude), and **weaponized SaaS infrastructure** (Google Groups, Pastebin) to distribute payloads like **Lumma Stealer** and **Odyssey Stealer**. The integration of **DNS staging**, **browser-native execution**, and **multi-stage loaders** underscores the campaign’s resilience despite 2025 law enforcement disruptions, with actors refining tradecraft to maximize evasion via **social engineering**, **steganography**, and **legitimate service abuse**.

Open in new tab