SocksEscort Malicious Proxy Collapses, 3.5 Million USD in Cryptocurrency Frozen

On March 11, Europol and the U.S. Department of Justice jointly announced the results of “Operation Lightning,” successfully dismantling the malicious proxy service “SocksEscort.” U.S. authorities froze $3.5 million in cryptocurrency related to this case, and seven countries seized 34 domains and 23 servers.

Operation Scale: Quantitative Results from Cross-Border Law Enforcement

The investigation began in June 2025, led by Europol’s Cybercrime Action Team (J-CAT). It uncovered a botnet composed of infected home routers, secretly recruited as proxy servers to hide the source of cybercriminal activities.

The Eastern District of California U.S. Attorney’s Office reported that by February 2026, approximately 8,000 infected routers had been recorded through the SocksEscort app, with about 2,500 located within the United States. The associated payment platforms are estimated to have received over $5.7 million in cryptocurrency, with U.S. authorities freezing $3.5 million of that amount.

Catherine De Bolle, Executive Director of Europol, stated, “By dismantling this infrastructure, law enforcement has disrupted a service that facilitates cybercrime on a global scale.”

Criminal Uses of SocksEscort: From Crypto Account Theft to Child Exploitation

U.S. Department of Justice charges reveal that the SocksEscort proxy network was used for various criminal activities:

Bank and Cryptocurrency Account Hijacking: Using proxies to conceal access sources and carry out account takeover attacks.

False Unemployment Benefits Claims: Submitting welfare applications under others’ identities to fraudulently obtain government funds.

Ransomware Attacks: Distributing and deploying ransomware through the proxy network.

DDoS Attacks: Using botnet routers to execute distributed denial-of-service attacks.

Distribution of Child Sexual Abuse Material (CSAM): Spreading illegal content via infected devices.

U.S. federal prosecutors cited multiple specific victim cases: a New York cryptocurrency exchange customer allegedly lost $1 million in digital assets; a Pennsylvania manufacturer reportedly lost $700,000; and several active and retired military personnel are said to have been defrauded of a total of $100,000.

Frequently Asked Questions

What is SocksEscort, and how does it work?

SocksEscort is a malicious proxy service that infects routers and IoT devices in homes and small businesses worldwide, turning these infected devices into proxy servers and offering access to paying customers. Clients can use these “residential proxies” to mask their real network activity sources, effectively conducting criminal activities using ordinary home user IP addresses.

How much cryptocurrency was frozen in this operation, and which countries were involved?

U.S. authorities froze $3.5 million in cryptocurrency related to this case. The payment platforms involved are estimated to have received over $5.7 million in total. Law enforcement actions took place in seven countries, seizing 34 domains and 23 servers.

How is SocksEscort used in cryptocurrency scams?

Criminals use SocksEscort’s proxy servers to hide their network connection sources, launching account takeover attacks on cryptocurrency accounts from locations that appear to be legitimate residential IP addresses, bypassing geo-based security measures. In one case, a New York-based crypto exchange customer was reportedly defrauded of $1 million worth of digital assets through this method.