Operation Lightning takedown of SocksEscort proxy service
Law Enforcement
Summary
Hide ▲
Show ▼
International law enforcement partners dismantled the SocksEscort proxy service in Operation Lightning, disrupting a cybercrime network used to hide originating IP addresses and support fraud and other attacks. The service was allegedly tied to over 360,000 compromised routers and IoT devices across 163 countries since 2020, with about 8,000 infected routers listed by February 2026. On March 11, agencies seized 34 domains and 23 servers in seven countries, and the US froze $3.5m in cryptocurrency.
Related Happenings
Operation Endgame takedown of Amadey and StealC infrastructure
Law Enforcement
H score66
First: 24.06.2026 18:02
Last: 24.06.2026 18:02
Sources 1
About this happening:
An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...
Operation Endgame takedown of Amadey and StealC infrastructure
Law EnforcementAbout this happening: An **international law-enforcement takedown** under **Operation Endgame** disrupted shared infrastructure used by **Amadey** and **StealC**, with **Microsoft**, **Europol**, and i...
Popa botnet forcing consumer TV boxes to relay traffic
Malware Activity
H score76
First: 18.06.2026 20:37
Last: 18.06.2026 20:37
Sources 1
About this happening:
**Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Popa botnet forcing consumer TV boxes to relay traffic
Malware ActivityAbout this happening: **Popa** is an **Android-based botnet** that turns **consumer TV boxes** and related devices into relay infrastructure, maintaining encrypted connectivity and opening tunnels on d...
Latest development: 03.07.2026 12:35
Google disabled NetNut accounts used for malware command-and-control, updated Google Play Protect to warn Android users, and disabled apps containing compromised SDKs while FBI legal actions and domain seizures targeted NetNut infrastructure. The coordinated disruption was described as degrading NetNut’s proxy network and shrinking the pool of devices available to the operator.
Operation KRATOS 2 streaming piracy crackdown
Law Enforcement
H score55
First: 03.06.2026 13:12
Last: 03.06.2026 13:12
Sources 1
About this happening:
**European and international law enforcement** dismantled **nine organized crime groups** and arrested **29 suspects** in **Operation KRATOS 2**, a cross-border crackdown on **ill...
Operation KRATOS 2 streaming piracy crackdown
Law EnforcementAbout this happening: **European and international law enforcement** dismantled **nine organized crime groups** and arrested **29 suspects** in **Operation KRATOS 2**, a cross-border crackdown on **ill...
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor Meta
H score24
First: 22.05.2026 11:50
Last: 22.05.2026 11:50
Sources 1
About this happening:
The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor MetaAbout this happening: The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
First VPN had assets seized in First VPN takedown
Law Enforcement
H score17
First: 21.05.2026 18:30
Last: 21.05.2026 18:30
Sources 1
About this happening:
Authorities **took down First VPN**, a **ransomware**-linked service used to hide cybercrime activity, in a coordinated action led by **France and the Netherlands**. The operation...
First VPN had assets seized in First VPN takedown
Law EnforcementAbout this happening: Authorities **took down First VPN**, a **ransomware**-linked service used to hide cybercrime activity, in a coordinated action led by **France and the Netherlands**. The operation...
Timeline
-
13.03.2026 12:00 2 articles · 3mo ago
Operation Lightning seizes SocksEscort infrastructure
Legal Policy Action UpdateInternational law enforcement partners seized 34 domains and 23 servers in seven countries, froze $3.5m in cryptocurrency, and disrupted the SocksEscort malicious proxy service that routed traffic through infected routers.
Show sources
- Law Enforcement Dismantles SocksEscort Proxy Network in Operation Lightning — www.infosecurity-magazine.com — 13.03.2026 12:00
- Law Enforcement Dismantles SocksEscort Proxy Network in Operation Lightning — www.infosecurity-magazine.com — 13.03.2026 12:00
-
13.03.2026 12:00 1 articles · 3mo ago
SocksEscort network scale and abuse are disclosed
Initial DisclosureSocksEscort was described as a malicious proxy service that allegedly compromised over 360,000 routers and internet of things (IoT) devices in 163 countries since 2020, offered customers over 35,000 proxies in recent years, and enabled concealment of source IP addresses for bank takeovers, cryptocurrency-account fraud, fraudulent unemployment insurance claims, ransomware, DDoS attacks, and CSAM distribution.
Show sources
- Law Enforcement Dismantles SocksEscort Proxy Network in Operation Lightning — www.infosecurity-magazine.com — 13.03.2026 12:00