Malware News Europol and international partners disrupt ‘SocksEscort’ proxy service

[nicolaasjan]

Content source

https://www.europol.europa.eu/media-press/newsroom/news/europol-and-international-partners-disrupt-socksescort-proxy-service

On 11 March 2026, Europol in collaboration with law enforcement agencies from Austria, France, the Netherlands, and the United States, alongside Eurojust, executed Operation Lightning. This coordinated effort targeted the malicious proxy service ‘SocksEscort’, which allegedly compromised over 369 000 routers and Internet of Things devices in 163 countries, and offered ‘SocksEscort’ customers over 35 000 proxies in recent years.
During the action day, law enforcement agencies successfully took down and seized 34 domains as well as 23 servers located in seven countries. In addition, the United States froze a total of USD 3.5 million in cryptocurrency. The infected modems used to offer the proxy service have been disconnected from the service. Following this takedown, law enforcement authorities will alert the affected countries, paving the way for further investigative initiatives.

Devices infected via exploited vulnerabilities​

The investigation, which began in June 2025 with the opening of a case by Europol's Joint Cyberaction Task Force (J-CAT), revealed that a botnet of infected devices was created. These devices, primarily residential routers, were exploited to facilitate various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM).
The compromised devices were infected through a vulnerability in the residential modems of a specific brand. Customers of the criminal service paid for licences to abuse these infected devices, hiding their original IP addresses to engage in various criminal activities. To protect against such exploits, users, and vendors are advised to update the firmware of their devices regularly.

 

[Halp2001]

Great share. This is a solid reminder that cybercriminals don't need massive data centers; they just need misconfigured routers and IoT devices to run a global operation. It’s good to see Operation Lightning getting real results by seizing domains, servers, and even freezing crypto.

For the rest of us: keep firmware updated whenever possible and try to close those security gaps, or at least minimize them as much as our home networks allow.