On Wednesday, a worldwide coalition of law enforcement agencies dismantled a botnet comprising tens of thousands of compromised home and small business routers.

The initiative focused on SocksEscort, which provided paid proxy services and was based on a botnet of compromised routers utilised to perpetrate a range of crimes, including unlawfully accessing victims’ banking and cryptocurrency accounts, as well as submitting fraudulent unemployment insurance applications, according to an announcement released by the Department of Justice (DOJ) on Thursday. The DOJ reported that the offenses enabled by SocksEscort incurred millions of dollars in losses for Americans.  

According to Europol’s statement regarding the operation, the SocksEscort botnet reportedly breached over 369,000 routers and Internet of Things devices across 163 nations, and the infected routers “have been disconnected from the service.” The law enforcement agency indicated that SocksEscort facilitated ransomware, distributed denial of service (DDoS) attacks, and the spread of child sexual abuse material (CSAM).

“Users of the illicit service purchased licenses to exploit these compromised devices, concealing their original IP addresses to partake in various criminal actions,” Europol stated. “Once infected with the malware, owners of the modems remained unaware that their IP addresses were being exploited for illegitimate purposes.”

The official website of SocksEscort was supplanted by a message announcing the seizure as part of the law enforcement operation. 

The botnet consisted of approximately 280,000 routers since last January and was driven by malware named AVRecon, as per cybersecurity firm Black Lotus Labs, which monitored SocksEscort and collaborated with authorities in the takedown effort.

“This botnet represented a considerable threat, as it was exclusively marketed to criminals,” the company remarked in its post regarding the takedown. “Significantly, more than half of its victims were situated in the United States or the United Kingdom, allowing perpetrators to execute highly targeted operations.”

In 2023, Black Lotus Labs referred to SocksEscort as “one of the largest botnets targeting small-office/home-office (SOHO) routers observed in recent years.” 

At that time, cybersecurity journalist Brian Krebs noted that SocksEscort emerged in 2009 as a Russian-language service offering access to thousands of compromised computers.