SocksEscort Proxy Network Disrupted by Law Enforcement

First reported

12.03.2026 18:19

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. This network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The SocksEscort network had an average of 20,000 infected devices weekly and was used in several high-value fraud cases, including the theft of $1 million in cryptocurrency and losses of $700,000 from a Pennsylvania-based manufacturing business.

Timeline

12.03.2026 18:19 1 articles · 4h ago

Law Enforcement Disrupts SocksEscort Proxy Network
Law enforcement agencies in the U.S. and Europe, along with private partners, have disrupted the SocksEscort cybercrime proxy network. The network relied on edge devices compromised by the AVRecon malware for Linux. The disruption involved taking down multiple servers and domains, freezing cryptocurrency, and disconnecting infected devices. The network had been active for over a decade, offering access to 'clean' IP addresses from major ISPs and facilitating various fraudulent activities. The AVRecon malware, which powered SocksEscort, was believed to have been active since at least May 2021 and infected over 70,000 Linux-based SOHO routers by mid-2023. Despite previous disruptions, the operators of SocksEscort returned to regular operations, routing communications through 15 command-and-control nodes (C2s).
Show sources

US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
Open in new tab

Information Snippets

SocksEscort was first documented by Lumen’s Black Lotus Labs (BLL) in 2023 and had been operational for over a decade.
First reported: 12.03.2026 18:19

1 source, 1 article
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
The network offered access to 'clean' IP addresses from major ISPs such as Comcast, Spectrum, Verizon, and Charter.
First reported: 12.03.2026 18:19

1 source, 1 article
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
SocksEscort advertised access to about 369,000 different IP addresses since summer 2020.
First reported: 12.03.2026 18:19

1 source, 1 article
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
As of February 2026, the SocksEscort application listed approximately 8,000 infected routers, with 2,500 in the United States.
First reported: 12.03.2026 18:19

1 source, 1 article
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
The service was used in the theft of $1 million in cryptocurrency, $700,000 in losses from a Pennsylvania-based manufacturing business, and $100,000 in damages impacting U.S. service members.
First reported: 12.03.2026 18:19

1 source, 1 article
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
European authorities in Austria, France, and the Netherlands took down multiple SocksEscort servers under the coordination of Europol.
First reported: 12.03.2026 18:19

1 source, 1 article
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
Law enforcement seized 34 domains and 23 servers located in seven countries, and the U.S. froze $3.5 million in cryptocurrency.
First reported: 12.03.2026 18:19

1 source, 1 article
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
All infected devices used in the SocksEscort proxy network have been disconnected from the service.
First reported: 12.03.2026 18:19

1 source, 1 article
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
The AVRecon malware, believed to have been active since at least May 2021, infected over 70,000 Linux-based SOHO routers by mid-2023.
First reported: 12.03.2026 18:19

1 source, 1 article
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
Lumen researchers disrupted the AVRecon router botnet in 2023 by null-routing the command-and-control (C2) infrastructure.
First reported: 12.03.2026 18:19

1 source, 1 article
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
SocksEscort used only the AVRecon malware to add new nodes, with 280,000 unique victim IP addresses observed since the beginning of 2025.
First reported: 12.03.2026 18:19

1 source, 1 article
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19
Over half of the infected devices were located in the United States and the United Kingdom.
First reported: 12.03.2026 18:19

1 source, 1 article
Show sources
- US disrupts SocksEscort proxy network powered by Linux malware — www.bleepingcomputer.com — 12.03.2026 18:19

Summary

Timeline

Law Enforcement Disrupts SocksEscort Proxy Network

Information Snippets