Law enforcement agencies from the United States and Europe, supported by private partners, have taken down the SocksEscort cybercrime proxy network. This service, powered by the AVRecon malware infecting Linux-based devices, provided cybercriminals with access to compromised IP addresses. The operation resulted in the seizure of domains, servers, and cryptocurrency assets.
The disruption of the SocksEscort proxy network occurred on March 12, 2026, involving coordination between U.S. authorities, European law enforcement, and private entities like Lumen’s Black Lotus Labs (BLL).
SocksEscort operated for over a decade, first documented by BLL in 2023. It relied exclusively on edge devices compromised by the AVRecon malware, which targeted Linux-based small office/home office (SOHO) routers. AVRecon has been active since at least May 2021 and infected more than 70,000 such devices by mid-2023. The network maintained an average of 20,000 infected devices weekly in recent years, with over half located in the United States and the United Kingdom.
Since the summer of 2020, SocksEscort offered access to approximately 369,000 different IP addresses, advertised as “clean” from major ISPs including Comcast, Spectrum, Spectrum Business, Verizon, and Charter. These addresses could evade multiple blocklists. As of February 2026, the service listed about 8,000 infected routers available for customer access, including 2,500 in the United States.
The U.S. Department of Justice (DOJ) highlighted the network's role in specific crimes: it facilitated the theft of $1 million in cryptocurrency from a New York user, enabled $700,000 in losses from defrauding a Pennsylvania-based manufacturing business, and caused $100,000 in damages through fraud affecting current and former U.S. service members using MILITARY STAR cards.
In the operation, European authorities in Austria, France, and the Netherlands, coordinated by Europol, seized 34 domains and 23 servers across seven countries. The U.S. froze $3.5 million in cryptocurrency. All infected devices connected to SocksEscort have now been disconnected from the service.
Lumen's earlier efforts in 2023 disrupted AVRecon by null-routing its command-and-control infrastructure, but operators later restored functionality using 15 such nodes. Since the beginning of 2025, BLL observed 280,000 unique victim IP addresses linked solely to this malware for expanding SocksEscort.
