Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries

A court-approved international law enforcement operation has shut down SocksEscort, a criminal proxy service that turned thousands of home routers around the world into a botnet to commit large-scale fraud. The U.S. Department of Justice (DoJ) said, "SocksEscort infected home and small business internet routers with malware." "The malware let SocksEscort send internet traffic through the routers that were infected.

Customers could buy this access from SocksEscort. "SocksEscort" (socksescort[. ]com) is said to have offered to sell access to about 369,000 different IP addresses in 163 countries since the summer of 2020. As of February 2026, the service had listed almost 8,000 infected routers.

The modified firmware also turns off the device's ability to update and flash, which means the devices will always be infected.

The Black Lotus Labs team said, "This botnet was a big threat because it was only sold to criminals and was made up of compromised edge devices." "Over the past few years, SocksEscort had about 20,000 different victims every week, and communications went through an average of 15 command-and-control nodes (C2s)."