### SocksEscort's Modus Operandi According to the **U.S. Department of Justice (DoJ)**, SocksEscort infected home and small business internet routers with malware, effectively enslaving them into a botnet. This allowed SocksEscort to redirect internet traffic through the compromised routers, offering its customers a way to mask their online activities. The service, operating under the domain "socksescort[.]com," reportedly provided access to approximately 369,000 unique IP addresses across 163 countries since the summer of 2020. As of February 2026, the service listed nearly 8,000 infected routers, with 2,500 located within the U.S. SocksEscort marketed itself as offering "static residential IPs with unlimited bandwidth," capable of bypassing spam blocklists. Pricing ranged from $15 per month for 30 proxies to $200 per month for a package of 5,000. ### The Impact of Compromised Routers The primary function of services like SocksEscort is to enable malicious actors to conceal their true IP addresses and locations, making it difficult to distinguish malicious traffic from legitimate activity. This obfuscation facilitates a range of cybercrimes. Victims of fraud perpetrated through SocksEscort include a cryptocurrency exchange customer in New York who lost $1 million, a Pennsylvania manufacturing business defrauded of $700,000, and U.S. service members who were scammed out of $100,000 using MILITARY STAR cards. ### Operation Lightning: A Coordinated Response **Europol** announced that **Operation Lightning** involved authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the U.S. The operation led to the takedown of 34 domains and 23 servers across seven countries and the freezing of $3.5 million in cryptocurrency.  Europol stated that the compromised devices, mainly residential routers, were exploited to facilitate ransomware attacks, DDoS attacks, and the distribution of child sexual abuse material (CSAM). The devices were infected via a vulnerability in a specific brand's residential modems. Customers accessed the proxy service through a payment platform allowing anonymous cryptocurrency purchases. The platform reportedly received over EUR 5 million from proxy service customers. ### AVrecon Malware: The Engine Behind SocksEscort SocksEscort was powered by the **AVrecon** malware, publicly documented by **Lumen Black Lotus Labs** in July 2023 but believed to be active since at least May 2021. The service is estimated to have victimized 280,000 distinct IP addresses since early 2025. AVrecon not only turns infected devices into SocksEscort residential proxies but also establishes a remote shell to an attacker-controlled server and acts as a loader, downloading and executing arbitrary payloads. The malware targets approximately 1,200 device models manufactured by **Cisco**, **D-Link**, **Hikvision**, **Mikrotik**, **NETGEAR**, **TP-Link**, and **Zyxel**. A **NETGEAR** spokesperson stated that while some of its devices were targeted in the early stages of the botnet activity in 2016, the company promptly deployed remediation efforts, and there's no indication that its equipment has been exploited since then. The **U.S. Federal Bureau of Investigation** noted that the majority of AVrecon infections occur on small-office/home-office (SOHO) routers using critical vulnerabilities like Remote Code Execution (RCE) and command injection. AVrecon is written in the C language and primarily targets MIPS and ARM devices. To maintain persistence, attackers use the device's built-in update mechanism to flash a custom firmware image containing a copy of AVrecon, which is hard-coded to execute on device startup. This modified firmware also disables the device's update and flashing features, permanently infecting the devices. Black Lotus Labs emphasized the significant threat posed by the botnet, marketed exclusively to criminals and composed solely of compromised edge devices. SocksEscort maintained an average size of approximately 20,000 distinct victims weekly, with communications routed through an average of 15 command-and-control nodes (C2s).