Find notable cyber news and cases, enriched with sources, timelines, and signals.

Operation Lightning takedown of SocksEscort proxy service

Law Enforcement
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

International law enforcement partners dismantled the SocksEscort proxy service in Operation Lightning, disrupting a cybercrime network used to hide originating IP addresses and support fraud and other attacks. The service was allegedly tied to over 360,000 compromised routers and IoT devices across 163 countries since 2020, with about 8,000 infected routers listed by February 2026. On March 11, agencies seized 34 domains and 23 servers in seven countries, and the US froze $3.5m in cryptocurrency.

Related Happenings

Operation Endgame takedown of Amadey and StealC infrastructure

Law Enforcement
H score66 First: 24.06.2026 18:02 Last: 24.06.2026 18:02 Sources 1

About this happening: An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...

Popa botnet forcing consumer TV boxes to relay traffic

Malware Activity
H score76 First: 18.06.2026 20:37 Last: 18.06.2026 20:37 Sources 1

About this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...

Latest development: 03.07.2026 12:35

Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.

Operation KRATOS 2 streaming piracy crackdown

Law Enforcement
H score55 First: 03.06.2026 13:12 Last: 03.06.2026 13:12 Sources 1

About this happening: **European and international law enforcement** dismantled **nine organized crime groups** and arrested **29 suspects** in **Operation KRATOS 2**, a cross-border crackdown on **ill...

Kimwolf operators build a cybercrime-as-a-service DDoS access market

Threat Actor Meta
H score24 First: 22.05.2026 11:50 Last: 22.05.2026 11:50 Sources 1

About this happening: The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...

First VPN had assets seized in First VPN takedown

Law Enforcement
H score17 First: 21.05.2026 18:30 Last: 21.05.2026 18:30 Sources 1

About this happening: Authorities **took down First VPN**, a **ransomware**-linked service used to hide cybercrime activity, in a coordinated action led by **France and the Netherlands**. The operation...

Timeline

  1. 13.03.2026 12:00 2 articles · 3mo ago

    Operation Lightning seizes SocksEscort infrastructure

    Legal Policy Action Update

    International law enforcement partners seized 34 domains and 23 servers in seven countries, froze $3.5m in cryptocurrency, and disrupted the SocksEscort malicious proxy service that routed traffic through infected routers.

    Show sources
  2. 13.03.2026 12:00 1 articles · 3mo ago

    SocksEscort network scale and abuse are disclosed

    Initial Disclosure

    SocksEscort was described as a malicious proxy service that allegedly compromised over 360,000 routers and internet of things (IoT) devices in 163 countries since 2020, offered customers over 35,000 proxies in recent years, and enabled concealment of source IP addresses for bank takeovers, cryptocurrency-account fraud, fraudulent unemployment insurance claims, ransomware, DDoS attacks, and CSAM distribution.

    Show sources