SocksEscort criminal proxy-service ecosystem monetizing residential routers
Threat Actor Meta
Summary
Hide ▲
Show ▼
The SocksEscort proxy-service ecosystem turned compromised residential routers into a rentable abuse platform, letting criminal customers hide behind 369,000 IP addresses across 163 countries. That model mattered because it converted botnet access into a subscription service for fraud, ransomware, DDoS, and other abuse. By February 2026, the service was still listing nearly 8,000 infected routers, showing a durable underground market rather than a one-off botnet.
Related Happenings
First VPN Service as criminal VPN infrastructure for ransomware and fraud operators
Threat Actor Meta
First: 22.05.2026 20:35
Last: 22.05.2026 20:35
Sources 1
About this happening:
**First VPN Service** functioned as a criminal VPN layer that let ransomware, fraud, and data theft operators hide their identities, expanding the reach and resilience of undergro...
First VPN Service as criminal VPN infrastructure for ransomware and fraud operators
Threat Actor MetaAbout this happening: **First VPN Service** functioned as a criminal VPN layer that let ransomware, fraud, and data theft operators hide their identities, expanding the reach and resilience of undergro...
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor Meta
First: 22.05.2026 11:50
Last: 22.05.2026 11:50
Sources 1
About this happening:
The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
Kimwolf operators build a cybercrime-as-a-service DDoS access market
Threat Actor MetaAbout this happening: The **Kimwolf** operators ran a **cybercrime-as-a-service** market that sold access to infected devices, widening **DDoS-for-hire** abuse. The model turned compromised **digital p...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector Action
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
**NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
NCSC-UK joint advisory on covert botnets and proxy networks
Public Sector ActionAbout this happening: **NCSC-UK** and partner agencies issued a **joint advisory** warning that **China-nexus hackers** are using **hijacked consumer devices** as covert proxy networks to hide maliciou...
Operation PowerOff DDoS-for-hire takedown
Law Enforcement
First: 17.04.2026 09:40
Last: 17.04.2026 09:40
Sources 1
About this happening:
Europol and partners in 21 countries carried out Operation PowerOff, disrupting a DDoS-for-hire/booter-service ecosystem. The coordinated action took down 53 domains, seized infra...
Operation PowerOff DDoS-for-hire takedown
Law EnforcementAbout this happening: Europol and partners in 21 countries carried out Operation PowerOff, disrupting a DDoS-for-hire/booter-service ecosystem. The coordinated action took down 53 domains, seized infra...
Latest development: 17.04.2026 14:30
Europol-led Operation PowerOff involved police and cybersecurity agencies from 21 countries and disrupted DDoS-for-hire infrastructure by taking down 53 domains, seizing databases linked to over three million criminal user accounts, removing over 100 advertising URLs, and arresting four people suspected of providing DDoS-for-hire services.
Operation PowerOFF DDoS-for-hire arrests and takedowns
Law Enforcement
First: 17.04.2026 01:26
Last: 17.04.2026 01:26
Sources 1
About this happening:
Authorities participating in Operation PowerOFF disrupted DDoS-for-hire and booter infrastructure across 21 countries, arresting four suspects and taking 53 domains offline. The a...
Operation PowerOFF DDoS-for-hire arrests and takedowns
Law EnforcementAbout this happening: Authorities participating in Operation PowerOFF disrupted DDoS-for-hire and booter infrastructure across 21 countries, arresting four suspects and taking 53 domains offline. The a...
Latest development: 17.04.2026 14:30
Europol-led Operation PowerOff involved police and cybersecurity agencies from 21 countries and disrupted DDoS-for-hire infrastructure by taking down 53 domains, seizing databases linked to over three million criminal user accounts, removing over 100 advertising URLs, and arresting four people suspected of providing DDoS-for-hire services.
Timeline
-
13.03.2026 07:26 2 articles · 2mo ago
Operation Lightning dismantles SocksEscort proxy service
Initial DisclosureCourt-authorized international law enforcement acting under Operation Lightning dismantled SocksEscort, a criminal proxy service that used AVrecon to infect residential and small-business routers and resell traffic relay access for fraud and other abuse; authorities said the disruption took down 34 domains and 23 servers, froze $3.5 million in cryptocurrency, and targeted infrastructure spanning multiple countries.
Show sources
- Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries — thehackernews.com — 13.03.2026 07:26
- Authorities Disrupt SocksEscort Proxy Botnet Exploiting 369,000 IPs Across 163 Countries — thehackernews.com — 13.03.2026 07:26