US and European law enforcement agencies, supported by private-sector cybersecurity experts, have dismantled the SocksEscort proxy botnet — one of the most persistent and commercially successful residential proxy services built on infected Linux-based routers running the AVRecon malware. The coordinated operation delivers a significant blow to the criminal market for “clean” residential IP addresses and highlights ongoing abuses of consumer networking devices.
International takedown of the SocksEscort proxy infrastructure
According to research from Black Lotus Labs, the threat intelligence arm of Lumen Technologies that provided technical support to the US Department of Justice (DOJ), the SocksEscort infrastructure maintained an average of about 20,000 active infected devices per week in recent years. Although the service was publicly documented by researchers only in 2023, it had operated for more than a decade, demonstrating strong resilience and operator discipline.
In Europe, coordination was led by Europol, with operational support from law enforcement in Austria, France, and the Netherlands. Joint actions resulted in the seizure of 34 domains and 23 servers across seven countries. In the United States, authorities additionally froze approximately $3.5 million in cryptocurrency linked to SocksEscort’s activities. This combination of technical and financial measures targeted both the botnet’s command infrastructure and the revenue stream that sustained it.
How the SocksEscort residential proxy service operated
SocksEscort functioned as a paid commercial proxy service, offering cybercriminals access to residential and small-business IP addresses. A key selling point was access to IP ranges belonging to major US internet service providers such as Comcast, Spectrum, Verizon, and Charter. Because traffic from these networks appears indistinguishable from that of typical home users, it is less likely to be blocked or flagged by fraud-detection and anti-abuse systems.
From mid-2020, the DOJ estimates that SocksEscort sold access to roughly 369,000 unique IP addresses. As of February 2026, its client application exposed around 8,000 infected routers as available proxy nodes, including about 2,500 located in the United States. This highly distributed infrastructure made it difficult for online services to reliably block malicious traffic based on IP reputation alone.
AVRecon malware: the Linux engine behind the proxy botnet
Infection of routers and controlled growth of the botnet
The SocksEscort ecosystem relied on a specialized piece of Linux malware known as AVRecon, designed to infect routers and other networking gear. Lumen’s telemetry indicates AVRecon has been in active use since at least May 2021 and had compromised more than 70,000 routers by mid‑2023. Since early 2025, analysts observed over 280,000 unique victim IP addresses tied to the botnet’s activity.
Notably, AVRecon was used exclusively by SocksEscort operators, and infected devices were not shared with or linked to other known botnets. This closed ecosystem suggests a deliberate strategy to maximize control, minimize detection, and preserve the value of the “inventory” of residential IPs offered to paying clients. More than half of compromised routers were located in the United States and the United Kingdom, regions with dense broadband coverage and highly trusted IP space.
Why residential proxies are so valuable to cybercriminals
Residential proxy botnets such as SocksEscort are particularly attractive in the underground market because their traffic appears to originate from ordinary home users. Fraud-prevention systems at banks, cryptocurrency exchanges, e-commerce platforms, and social networks tend to treat this traffic as low risk compared to data center or VPN IP ranges.
This enables attackers to bypass IP-based blocking, geolocation controls, and bot-detection tools. Common abuse scenarios include account takeover and credential-stuffing attacks, large-scale creation and laundering of fake accounts, payment and refund fraud, evasion of geographic restrictions, and obfuscation of cryptocurrency theft or money laundering activities.
Documented financial losses linked to SocksEscort
US Department of Justice filings link the SocksEscort proxy infrastructure to several concrete fraud cases. In one incident, attackers used the service to steal approximately $1 million in cryptocurrency from a New York resident. In another, a manufacturing firm in Pennsylvania suffered around $700,000 in losses through a fraud scheme facilitated by SocksEscort-provided IP addresses.
A separate case involved theft of roughly $100,000 from current and former US military personnel via abuse of MILITARY STAR cards. In all these scenarios, attackers combined stolen credentials, social engineering, and traffic routed through “trusted” residential IPs to slip past fraud-detection systems and appear as legitimate users to financial institutions and online services.
Countermeasures, limitations, and lessons for router owners
Prior to the law-enforcement takedown, the private sector had already attempted to contain the threat. Lumen temporarily disrupted AVRecon by null-routing traffic to its command-and-control servers within its backbone network, effectively cutting off communication between bots and controllers. However, SocksEscort’s operators eventually reestablished control, demonstrating that network-layer blocking alone is insufficient without dismantling the broader criminal ecosystem.
The case underscores how home and small-office routers remain soft targets. Default or weak passwords, outdated firmware, unnecessary remote administration features, and lack of basic network segmentation provide attackers with scalable entry points. Because infected devices continue to function normally and additional bandwidth usage is often modest, most owners never realize their router is part of a proxy botnet.
To reduce the risk of infection by malware like AVRecon and prevent involuntary participation in future proxy botnets, router owners should regularly update firmware, change factory credentials, disable unneeded remote-access services, and use unique, complex passwords. Enabling automatic security updates where available, monitoring unusual network activity, and consulting ISPs or security professionals when anomalies appear are also critical steps. Awareness of cases like SocksEscort helps individuals and organizations better understand how seemingly harmless consumer equipment can be weaponized at scale — and why proactive router security is now a fundamental part of modern cyber hygiene.
