Cybercrime Authorities Disrupt SocksEscort Proxy Service Powered by AVrecon Botnet Law enforcement agencies in the US and Europe targeted the cybercrime service that has impacted 360,000 devices since 2020. By Eduard Kovacs | March 13, 2026 (4:27 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Law enforcement agencies in the United States and Europe have disrupted SocksEscort, a malicious proxy service that facilitated criminal activities. These proxy services enable users to hide their identity and bypass security systems. In the case of SocksEscort, it has been used for various types of cybercrime, including DDoS attacks, ransomware attacks, and the distribution of child abuse materials. According to Europol and the US Justice Department, SocksEscort has been powered by compromised routers and other IoT devices, with roughly 363,000 IP addresses from 163 countries linked to the cybercrime service since 2020. In February 2026, just before the takedown operation was initiated, SocksEscort was supported by approximately 8,000 hacked routers, including 2,500 in the US. Lumen Technologies, whose Black Lotus Labs assisted the disruption efforts , said “SocksEscort maintained an average size of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes.” SocksEscort victims Authorities estimate that SocksEscort customers paid a total of more than $5.7 million for the proxy service, and US Justice Department data indicates many users profited substantially from it, with some defrauding victims of hundreds of thousands or even $1 million in individual schemes. Europol reported that “law enforcement agencies successfully took down and seized 34 domains as well as 23 servers located in seven countries. In addition, the United States froze a total of USD 3.5 million in cryptocurrency. The infected modems used to offer the proxy service have been disconnected from the service.” Advertisement. Scroll to continue reading. The FBI on Thursday issued an alert for the AVrecon malware that has powered the SocksEscort service. The agency said the proxy service’s operators exploited known vulnerabilities in routers and IoT devices to deploy the malware and create a botnet. “SocksEscort uses AVrecon malware to target approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, MicroTik, Netgear, TP-Link, and Zyxel,” the FBI said. “The vast majority of observed devices infected with AVrecon malware are small-office/home-office (SOHO) routers infected using critical vulnerabilities such as Remote Code Execution (RCE) and command injection.” The agency has shared information on the AVrecon malware’s distribution, execution, persistence, and communication, providing indicators of compromise (IoCs) and recommendations for securing devices. News of the SocksEscort takedown comes shortly after Europol, Microsoft, and cybersecurity companies announced a joint effort to take down the phishing-as-a-service platform Tycoon 2FA. Related : SystemBC Infects 10,000 Devices After Defying Law Enforcement Takedown Related : RaccoonO365 Phishing Service Disrupted, Leader Identified Related : 1,000+ Servers Hit in Law Enforcement Takedown of Rhadamanthys, VenomRAT, Elysium Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack Wiz Joins Google Cloud as Landmark Acquisition Closes OpenAI to Acquire AI Security Startup Promptfoo Michelin Confirms Data Breach Linked to Oracle EBS Attack ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Moxa, Mitsubishi Electric Jazz Emerges From Stealth With $61M in Funding for AI-Powered DLP Kai Emerges From Stealth With $125M in Funding for AI Platform Bridging IT and OT Security Latest News Chrome 146 Update Patches Two Exploited Zero-Days Apple Updates Legacy iOS Versions to Patch Coruna Exploits Meta Launches New Protection Tools as It Helps Disrupt Scam Centers Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks The Human IOC: Why Security Professionals Struggle with Social Vetting Splunk, Zoom Patch Severe Vulnerabilities Cisco Patches High-Severity IOS XR Vulnerabilities Critical N8n Vulnerabilities Allowed Server Takeover Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Business software company Rippling has appointed Adrian Ludwig as CSO. Orca Security has named Rachel Nislick as Chief Marketing Officer. Netskope has appointed Joseph Welsh as leader of US public sector sales. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email