An international collaboration led by the U.S. Justice Department has successfully dismantled a vast residential proxy network known as SocksEscort. This network was exploited by cybercriminals to disguise their identities and conduct widespread financial fraud, impacting thousands of individuals and businesses worldwide.
Operation and Impact of SocksEscort
The SocksEscort network was built by infecting vulnerable internet routers with malware, transforming them into components of a large proxy infrastructure. This allowed operators to sell access to these compromised networks, enabling cybercriminals to obscure their true locations and identities. The use of residential IP addresses, which are generally trusted, facilitated the evasion of security measures and geographic restrictions.
Since its inception in 2020, SocksEscort had expanded to offer access to nearly 369,000 unique IP addresses. In February 2026 alone, approximately 8,000 infected routers were available for sale, with around 2,500 located in the United States. The anonymity provided by the network enabled significant cybercrimes, including bank fraud, unemployment insurance scams, and cryptocurrency theft, resulting in financial losses in the millions.
Notable Cybercrime Cases
Several high-profile incidents were linked to the SocksEscort network. These include a New York resident losing $1 million due to a cryptocurrency account takeover, a Pennsylvania manufacturing company defrauded of $700,000, and U.S. military personnel losing $100,000 from compromised military cards. These cases highlight the severe impact of the proxy network on both individuals and organizations.
Global Takedown Operation
The dismantling of the SocksEscort network was a coordinated effort involving numerous international partners. The U.S. government seized relevant domains, while law enforcement agencies in Austria, France, and the Netherlands dismantled the supporting server infrastructure. The FBI, IRS Criminal Investigation, and the Department of Defense led the investigation, with support from Europol, Eurojust, and authorities in Germany, Bulgaria, Hungary, and Romania.
Private sector contributions from Lumen’s Black Lotus Labs and the Shadowserver Foundation were instrumental, providing key threat intelligence. Experts recommend several measures to prevent future exploitation of networks, such as updating router firmware, using strong passwords, disabling remote management on routers, and monitoring network traffic for irregular activity.
This successful operation underscores the importance of global cooperation in combating cybercrime and protecting digital infrastructure. Continued vigilance and proactive security measures are essential to prevent similar threats in the future.
