SocksEscort sold proxy services on the open web, but was actually routing traffic through compromised routers and internet-connected devices.
A proxy service called SocksEscort has been found infecting thousands of routers from brands such as D-Link, Netgear, and TP-Link, and selling access to them to cybercriminals.
On Thursday, the US joined with Europol to shut down SocksEscort, which sold its services on the open internet for as little as $15 per month. However, investigators say the business was actually funneling the proxy traffic to hacked routers that SocksEscort had hijacked.
“Since the summer of 2020. SocksEscort has offered to sell access to about 369.000 different IP addresses,” the Justice Department says. “As of February 2026. the SocksEscort application listed approximately 8.000 infected internet routers to which its customers could buy access; of those, 2.500 were in the United States.”
SocksEscort compromised the devices with a Linux-based malware dubbed “AVrecon,” which cybersecurity provider Lumen Black Lotus Labs flagged in 2023. At the time, it was found to be infiltrating 70.000 devices, but that later increased to “20.000 distinct victims weekly,” with over half of the IP addresses located in the United States or the UK.
The FBI also notes: “SocksEscort uses AVrecon malware to target approximately 1.200 device models manufactured by Cisco, D-Link, Hikvision, MicroTik, Netgear, TP-Link, and Zyxel.”
SocksEscort then leveraged the access by selling to cybercriminals, who used the proxy services to conceal their IP addresses and stage hacking activities from residential networks. The resulting fraud schemes raked in millions. One victim included a New York customer at a cryptocurrency exchange who lost $1 million; another victim was a “manufacturing business in Pennsylvania that was defrauded of $700.000.”
In addition, hackers on SocksEscort conducted romance scams, exploited website vulnerabilities, and attempted to hijack accounts through brute-force password attacks.
The Justice Department said it “executed seizure warrants against a few dozen US-registered internet domains.” As a result, the main page for SocksEscort has been replaced with a seizure notice. Law enforcement agencies in Austria, France, and the Netherlands also took down numerous SocksEscort servers.
Europol adds that SocksEscort provided the proxies by allegedly compromising 369.000 devices in total, which included routers and Internet of Things products based in 163 countries. The agency also estimates SocksEscort raked in at least 5 million Euros ($5.7 million) from customers who paid in cryptocurrency.
Top 20 Most Represented Device Models
As part of the crackdown, the FBI issued an alert about the “AVrecon malware,” which the proxy service used to infect routers. The alert includes a list of the “Top 20 Most Represented Device Models,” at least some of which were introduced over a decade ago.
The operators of SocksEscort spread the malware by scanning for IoT devices and routers with known vulnerabilities, and then exploiting them to gain remote access.
“Threat actors also modify the firmware to silently disable the device’s update and flashing features, making AVrecon extremely difficult to remove. These types of devices are essentially permanently infected with AVrecon,” the alert adds. “In other cases, AVrecon is deployed without a persistence mechanism. If an infected device is power cycled, it resets to a normal state and is no longer infected by AVrecon.”
Europol notes, “The infected modems used to offer the proxy service have been disconnected from the service,” following the server takedown. The FBI’s alert includes technical details to determine if a device was ever infected with the malware.
The agency adds: “If a device is considered EOL [end of life] by its manufacturer and is no longer supported, consider replacing the device with a model that is still receiving security updates.”
