DOJ Takes Down SocksEscort Proxy Network Used for Millions in Fraud

Cybersecurity operations center with screens showing network takedown operations

Operation Lightning Shuts Down a Massive Proxy-for-Hire Network

The U.S. Department of Justice, working with the FBI and law enforcement agencies in Austria, France, the Netherlands, and four other countries, has taken down SocksEscort — one of the largest proxy-for-hire networks in the world. The operation, dubbed "Operation Lightning," resulted in the seizure of 34 domains and 23 servers, with approximately $3.5 million in cryptocurrency frozen.

SocksEscort was not a VPN service or a legitimate proxy provider. It was a criminal infrastructure platform that turned infected home routers and IoT devices into proxy nodes, then rented access to those compromised devices to cybercriminals who needed to hide their identities while committing fraud, identity theft, and other financial crimes.

How SocksEscort Worked

The network was powered by the AVRecon botnet, a malware operation that had quietly infected hundreds of thousands of small office and home office (SOHO) routers since at least 2020. The malware exploited known vulnerabilities in consumer-grade routers to install a proxy agent — turning the router into a relay point that criminals could use to route their internet traffic through someone else's IP address.

At its peak, the AVRecon botnet had compromised approximately 369,000 IP addresses, with roughly 8,000 devices actively infected and serving as proxy nodes at any given time. SocksEscort then packaged these proxies into a subscription service, allowing 124,000 registered users to route their traffic through residential IP addresses in dozens of countries.

Why Residential Proxies Are Valuable to Criminals

The key value proposition was simple: when a criminal routes their traffic through a compromised home router in, say, Ohio, their activity appears to originate from a legitimate residential IP address. This defeats many of the IP-based fraud detection systems used by banks, e-commerce platforms, and government agencies.

If you are trying to commit credit card fraud, open fake bank accounts, or file fraudulent tax returns, appearing to come from a residential IP address in the same city as the account holder dramatically increases your success rate. SocksEscort made this capability available as a service — no technical skill required.

The Damage

The DOJ estimates that SocksEscort facilitated tens of millions of dollars in fraud losses across its years of operation. The 124,000 registered users represent a massive customer base of cybercriminals, though not all users may have been engaged in illegal activity (some may have used the service for legitimate anonymity purposes, though the platform was overwhelmingly marketed to and used by criminals).

The $3.5 million in frozen cryptocurrency represents just a fraction of the total revenue the operation generated. Proxy-for-hire services of this scale typically charge between $5 and $50 per day for premium residential proxies, suggesting annual revenues well into the millions.

The Bottom Line

The SocksEscort takedown is one of the largest disruptions of criminal proxy infrastructure to date. But the underlying problem — consumer routers with unpatched vulnerabilities serving as unknowing nodes in criminal networks — is not going away. For every SocksEscort that gets taken down, the AVRecon-style botnets that power them continue to evolve. If you have a home router that has not been updated in years, there is a non-trivial chance it is already part of someone else's criminal infrastructure.