# US Joins Forces with Europol to Take Down SocksEscort, Proxy Service Behind Thousands of Router Hacks

In a significant operation, the United States has joined forces with Europol to shut down SocksEscort, a proxy service that was infecting thousands of routers from top brands like D-Link, Netgear, and TP-Link, and selling access to them to cybercriminals. The operation has resulted in the shutdown of SocksEscort's main page, with a seizure notice displayed in its place, and the takedown of numerous servers in Austria, France, and the Netherlands.

SocksEscort, which offered its services on the open internet for as little as $15 per month, was found to be funneling proxy traffic to hacked routers that SocksEscort had hijacked. The Justice Department revealed that since the summer of 2020, SocksEscort has offered to sell access to approximately 369,000 different IP addresses. As of February 2026, the SocksEscort application listed around 8,000 infected internet routers, with 2,500 of those located in the United States.

The proxy service compromised devices with a Linux-based malware dubbed "AVrecon," which was flagged by cybersecurity provider Lumen Black Lotus Labs in 2023. Initially, AVrecon was found to be infiltrating 70,000 devices, but later increased to "20,000 distinct victims weekly," with over half of the IP addresses located in the United States or the UK. The FBI noted that SocksEscort used AVrecon malware to target approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, MicroTik, Netgear, TP-Link, and Zyxel.

SocksEscort then leveraged the access by selling to cybercriminals, who used the proxy services to conceal their IP addresses and stage hacking activities from residential networks. The resulting fraud schemes raked in millions, with one victim losing $1 million at a cryptocurrency exchange and another victim being defrauded of $700,000 by a manufacturing business in Pennsylvania.

The Justice Department executed seizure warrants against a few dozen US-registered internet domains, replacing the main page for SocksEscort with a seizure notice. Law enforcement agencies in Austria, France, and the Netherlands also took down numerous SocksEscort servers. Europol estimated that SocksEscort raked in at least 5 million Euros ($5.7 million) from customers who paid in cryptocurrency.

As part of the crackdown, the FBI issued an alert about the "AVrecon malware," which the proxy service used to infect routers. The alert includes a list of the "Top 20 Most Represented Device Models," at least some of which were introduced over a decade ago. The operators of SocksEscort spread the malware by scanning for IoT devices and routers with known vulnerabilities, and then exploiting them to gain remote access.

"It's a wake-up call for all device owners to take cybersecurity seriously," said a cybersecurity expert. "Using outdated or unsupported devices can leave them vulnerable to malware like AVrecon, which can be difficult to remove."

The FBI's alert includes technical details to determine if a device was ever infected with the malware. The agency advises device owners to consider replacing their devices with models that are still receiving security updates.

Netgear has commended the FBI for its actions to disrupt the SocksEscort Botnet, stating that it has no indication that its equipment was exploited in SocksEscort since its remediation efforts were deployed.

In conclusion, the shutdown of SocksEscort is a significant victory for law enforcement agencies, and a reminder of the importance of cybersecurity awareness. Device owners are advised to take steps to protect their devices from malware and other cyber threats, and to stay informed about the latest vulnerabilities and exploits.

### Key Takeaways:

* SocksEscort, a proxy service, was shut down by the US and Europol in a joint operation. * The service was found to be infecting thousands of routers from top brands and selling access to them to cybercriminals. * The malware used by SocksEscort, AVrecon, was found to be targeting approximately 1,200 device models from major manufacturers. * The shutdown of SocksEscort is a significant victory for law enforcement agencies, and a reminder of the importance of cybersecurity awareness.