A global coalition of law enforcement agencies shut down a botnet composed of tens of thousands of hacked home and small business routers on Wednesday. The operation targeted a service known as SocksEscort, which was built on a network of compromised devices and offered paid proxy services to criminals.
According to an announcement from the Department of Justice, the botnet was used to commit various crimes. These crimes included hacking into victims’ bank and cryptocurrency accounts and filing fraudulent unemployment insurance claims, costing Americans millions of dollars.
Europol stated that the SocksEscort botnet allegedly compromised more than 369,000 routers and Internet of Things devices across 163 countries. The agency confirmed that the infected routers have now been disconnected from the service. Law enforcement explained that SocksEscort was used to facilitate ransomware attacks, distributed denial of service attacks, and the distribution of child sexual abuse material.
Europol further noted that customers of the criminal service paid for licenses to abuse these infected devices, hiding their original IP addresses to engage in criminal activities. Upon infection with the malware, the owners of the modems would be unaware that their IP addresses were being used for illegitimate purposes.
As part of the law enforcement operation, the official SocksEscort website was replaced with a seizure notice. The botnet was composed of approximately 280,000 routers since last January and was powered by malware called AVRecon.
Cybersecurity firm Black Lotus Labs, which tracked SocksEscort and assisted in the takedown, stated this botnet posed a significant threat because it was marketed exclusively to criminals. The company noted that over half of its victims were located in the United States or the United Kingdom, which enabled attackers to conduct highly targeted operations.
In 2023, Black Lotus Labs described SocksEscort as one of the largest botnets targeting small-office and home-office routers seen in recent history. At that time, cybersecurity journalist Brian Krebs reported that SocksEscort began in 2009 as a Russian-language service selling access to thousands of hacked computers.