Residential router botnets have long served as the infrastructure of choice for fraud operators seeking to disguise malicious traffic as ordinary consumer activity. A coordinated international law enforcement operation has now dismantled one of the more durable examples of that model.
Authorities have taken down SocksEscort, a criminal proxy service that infected home and small business routers with malware and sold access to the compromised devices as anonymous tunneling points. According to the announcement, the service offered access to approximately 369,000 distinct IP addresses across 163 countries since the summer of 2020, and as recently as February 2026 still listed nearly 8,000 active infected routers, with 2,500 of those located in the United States.
The operation, codenamed Operation Lightning and coordinated through Europol, involved law enforcement from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the U.S. The disruption resulted in the seizure of 34 domains and 23 servers across seven countries, and the freezing of $3.5 million in cryptocurrency. A payment platform used by SocksEscort customers to anonymously purchase access is estimated to have received more than EUR 5 million in total.
Pricing for the service was deliberately accessible. A set of 30 proxies cost $15 per month; a package of 5,000 proxies ran $200 per month. As of December 2025, the site advertised over 35,900 proxies from 102 countries and claimed to offer static residential IPs with unlimited bandwidth capable of bypassing spam blocklists.
The Malware Underneath
SocksEscort was powered by malware known as AVrecon, first publicly documented by Lumen Black Lotus Labs in July 2023 but assessed to have been active since at least May 2021. Written in C and targeting primarily MIPS and ARM architectures, AVrecon goes beyond simple proxy enrollment: it can establish a remote shell to an attacker-controlled server and download and execute arbitrary payloads. The malware targets approximately 1,200 device models from manufacturers including Cisco, D-Link, Hikvision, Mikrotik, NETGEAR, TP-Link, and Zyxel, exploiting critical vulnerabilities such as Remote Code Execution and command injection.
Persistence is achieved through a particularly resilient method: threat actors use the device’s own built-in update mechanism to flash custom firmware containing a copy of AVrecon hardcoded to execute on startup. That modified firmware also disables the device’s update and flashing features, leaving the device permanently compromised with no straightforward path to remediation through normal means. A NETGEAR spokesperson stated that some of its devices were targeted in early botnet activity in 2016, that the company deployed remediation efforts at the time, and that there is no indication its equipment had been exploited since.
More Read
Real Victims, Documented Losses
The fraud enabled through SocksEscort touched identifiable individuals and organizations. A cryptocurrency exchange customer in New York lost $1 million in cryptocurrency. A manufacturing business in Pennsylvania was defrauded of $700,000. Current and former U.S. service members holding MILITARY STAR cards lost a combined $100,000. Europol also noted that the compromised devices facilitated ransomware attacks, distributed denial-of-service attacks, and the distribution of child sexual abuse material. The service is estimated to have victimized 280,000 distinct IP addresses beginning in early 2025 alone.
This article is a curated summary based on third-party sources. Source: Read the original article
