Key Highlights
- Europol and the U.S. Department of Justice froze $3.5M in crypto linked to the SocksEscort network.
- Malware-infected routers and IoT devices were used to provide anonymous proxy access for cybercrime.
- Authorities seized domains, servers, and wallets in a coordinated international crackdown.
Law enforcement agencies in the United States and Europe have disrupted a large cybercrime operation known as “SocksEscort,” freezing approximately $3.5 million in cryptocurrency tied to the network.
According to an official release, the action involved coordination between Europol and the United States Department of Justice (DOJ), along with authorities in multiple countries.
Officials said the service sold access to a vast pool of internet proxies created by compromising home routers and connected devices.
Malware-infected devices used as cover
Investigators estimate the network infected more than 369,000 routers and Internet-of-Things devices across 163 countries.
By routing internet traffic through these compromised machines, users could conceal their true locations and identities, a capability frequently used in online fraud and cyberattacks. Authorities said the operation provided tens of thousands of proxy endpoints over several years.
Domains, servers, and crypto funds seized
During the March 11 crackdown, dubbed Operation Lightning, law enforcement seized key infrastructure supporting the service.
According to Europol:
- 34 internet domains were taken down
- 23 servers across seven countries were seized
- Cryptocurrency wallets linked to the operation were frozen
Investigators also identified a payment platform associated with the network that allegedly received more than $5.7 million in crypto.
Links to fraud, ransomware, and other crimes
Officials said the proxy network enabled a wide range of illegal activities by obscuring perpetrators’ digital footprints.
These reportedly included ransomware attacks, distributed denial-of-service (DDoS) campaigns, account takeovers, and the distribution of illegal material. The investigation was conducted through Europol’s Joint Cybercrime Action Taskforce, which coordinates cross-border operations against major cyber threats.
U.S. authorities cite financial losses
In a separate announcement, prosecutors in the Eastern District of California described how criminals allegedly used SocksEscort proxies to conduct financial fraud.
The U.S. Attorney’s Office for the Eastern District of California said the application listed roughly 8,000 infected routers as of early 2026, including about 2,500 located in the United States.
Reported victim losses included:
- A crypto exchange customer in New York allegedly defrauded of $1 million
- A Pennsylvania manufacturer said to have lost $700,000
- Military personnel reportedly losing about $100,000
Authorities said proxy access helped attackers bypass security checks designed to detect suspicious login locations. The case highlights how compromised everyday devices can be repurposed into infrastructure for global cybercrime.
Also Read: U.S. Cracks Down on Crypto-Fueled Revenue Stream of DPRK Hackers