The DOJ and Europol dismantled the SocksEscort residential proxy network on March 11, 2026. Codenamed Operation Lightning, the takedown targeted a criminal service that had hijacked 369,000 routers and IoT devices across 163 countries since 2020. Authorities seized 34 domains and 23 servers in seven countries and froze $3.5 million in cryptocurrency.
AVrecon malware powered the entire SocksEscort operation. The malware turned each infected home or small-business router into a proxy node without the owner's knowledge. Customers paid anonymously with cryptocurrency and routed their traffic through compromised devices to mask their IP addresses. The FBI tied AVrecon to more than 1,200 device models manufactured by Cisco, D-Link, Hikvision, MikroTik, Netgear, TP-Link, and Zyxel.
Proxy services like 'SocksEscort' provide criminals with the digital cover they need to launch attacks, distribute illegal content, and evade detection. By dismantling this infrastructure, law enforcement has disrupted a service that enabled cybercrime on a global scale.
— Catherine De Bolle, Executive Director of Europol, said in a statement
The FBI's technical advisory described a modular toolkit inside AVrecon. The malware could update its own configuration, open a remote shell to an attacker-controlled server, and download arbitrary payloads. In some cases, the operators flashed modified firmware onto compromised routers that launched AVrecon on startup and disabled the device's built-in update mechanism. That technique made infections essentially permanent, because owners had no way to patch or reflash the device through normal means.
The C2 framework maintained a persistent heartbeat loop with infected devices. When the C2 issued a command, the router would open a tunnel to a SocksEscort relay server. The FBI said AVrecon primarily exploited SOHO routers through RCE vulnerabilities, command injection flaws, and exposed SOAP interfaces.
The DOJ tied SocksEscort to bank and cryptocurrency account takeovers across the United States. Charges also referenced fraudulent unemployment insurance claims, ransomware deployment, DDoS attacks, ad fraud, and the distribution of child sexual abuse material. A cryptocurrency exchange customer in New York lost nearly $1 million, a Pennsylvania manufacturer was defrauded of $700,000, and U.S. service members with MILITARY STAR cards lost $100,000. Europol estimated the service generated around $5.8 million (€5 million) in total revenue.
We know the customer base of SocksEscort had approximately 124,000 users. The servers we seized through our law enforcement operation will most definitely lead us to additional evidence that will allow us to pursue further criminal activity.
— Jason Bilnoski, FBI Deputy Assistant Director, told The Register
The proxy service dates back to 2009, first documented publicly as a Russian-language platform. Lumen Black Lotus Labs identified AVrecon in July 2023, calling it "one of the largest botnets targeting SOHO routers seen in recent history." The malware had been active since at least May 2021 but went undetected for years.
Black Lotus Labs recorded around 20,000 distinct victims weekly since early 2024. Infections peaked in January 2025 at more than 15,000 new victims per day.
By February 2026, the botnet's active footprint had shrunk to around 8,000 routers, with 2,500 in the United States.
Given the high volume of victim generation, it would not surprise me if they eventually hit something really important that moved them up the list of networks to go after.
— Chris Formosa, Senior Lead Information Security Engineer at Black Lotus Labs, told CyberScoop
| Operation Lightning | Details |
|---|---|
| Date | March 11, 2026 |
| Domains seized | 34 |
| Servers taken down | 23 (in 7 countries) |
| Cryptocurrency frozen | $3.5 million |
| Revenue received | ~$5.8 million (€5 million) |
| Registered users | ~124,000 |
| Total IPs compromised | ~369,000 (163 countries) |
| Active routers (Feb 2026) | ~8,000 (2,500 in US) |
| Participating countries | Austria, Bulgaria, France, Germany, Hungary, Netherlands, Romania, US |
| Partners | Europol, Eurojust, Black Lotus Labs, Shadowserver Foundation |
The DOJ dismantled 911 S5 in May 2024, a botnet that infected 19 million IP addresses and facilitated $5.9 billion in fraud. SocksEscort was smaller in device count but had been active longer and relied on router-level infection rather than VPN-based malware, making its traffic harder to distinguish from legitimate residential use.
Europol said the investigation began in June 2025 under its Joint Cyberaction Task Force. The agency disclosed the $5.8 million revenue estimate in its takedown announcement. Eight countries participated, with Lumen's Black Lotus Labs and the Shadowserver Foundation providing private-sector support. The FBI Sacramento Field Office, the Defense Criminal Investigative Service, and IRS Criminal Investigation handled the U.S. side.
The FBI's FLASH advisory listed specific router models most frequently abused. D-Link DIR-818LW, DIR-850L, and DIR-860L routers appeared alongside two Hikvision IP camera models, Netgear DGN2200v4 and R7000, TP-Link Archer C20, TL-WR840N, TL-WR841N, and TL-WR849N, and nine Zyxel models. Netgear told The Hacker News that the devices were targeted during "early stages" of botnet activity in 2016 and that remediation had been deployed.
Operation Winter Shield, an FBI cyber resilience campaign, launched on January 28, 2026. One of its ten recommended defensive measures directly applies here. The FBI recommends that owners of any router model on the list verify the device still receives firmware updates and replace it if it has reached end of life.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
