Law enforcement agencies across several countries have successfully dismantled SocksEscoter, a sophisticated residential proxy network that facilitated large-scale fraud for cybercriminals. The operation, dubbed Operation Lightning, seized approximately 369,000 IP addresses that the network had allegedly compromised since 2020, according to a statement from the U.S. Department of Justice. This action marks a significant blow against online criminal activity that relies on such networks for anonymity and illicit operations.
The coordinated effort involved Europol, along with various national law enforcement bodies, Lumen’s Black Lotus Labs, and the Shadowserver Foundation. Officials reported that the malicious proxy service had compromised routers and Internet of Things (IoT) devices in 163 countries. The financial arm of the operation was also targeted, with authorities stating that the proxy network’s payment platform had collected an estimated $5.8 million from its users.
Operation Lightning Targets SocksEscoter’s Illicit Network
Operation Lightning involved the seizure of 34 domains and 23 servers situated across seven different countries. U.S. authorities also announced the freezing of approximately $3.5 million in cryptocurrency, which they believe is linked to the botnet infrastructure built from compromised devices. The stated goal of these actions is to disrupt the financial gains and operational capabilities of cybercriminal groups.
Catherine De Bolle, executive director at Europol, emphasized the critical role of anonymity in cybercrime. “Proxy services like SocksEscort provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection,” De Bolle said in a statement. This highlights the motivation behind the operation’s focus on dismantling the infrastructure that enables such anonymity.
Exploitation of Vulnerabilities Fueled the Botnet
According to officials, the operators behind SocksEscoter assembled their extensive botnet by exploiting vulnerabilities in residential modems from an unspecified vendor. This method allowed them to gain control over a vast number of devices, which were then rented out as proxies to malicious actors. The compromised devices served as the backbone of the fraudulent activities.
The Justice Department indicated that the cybercrime operation resulted in millions of dollars in losses for Americans and U.S. businesses. More than a quarter of the 8,000 infected routers advertised by SocksEscoter in February were located within the United States, suggesting a significant impact on domestic targets.
Research from Black Lotus Labs indicates that SocksEscoter had been operational since 2009. Ryan English, an information security engineer at Black Lotus Labs, shared with CyberScoop that the network’s command-and-control infrastructure remained undetected by many security tools for an extended period. This longevity allowed the operation to grow and operate with relative impunity.
The botnet’s infrastructure, powered by the AVRecon malware, was notably elusive and maintained a consistently high volume of activity. Since early 2024, it reportedly victimized an average of 20,000 devices weekly. Black Lotus Labs also reported that the network’s impact peaked in January 2025, ensnaring over 15,000 victims daily during that period.
Black Lotus Labs observed 280,000 unique IP addresses as victims of the proxy network since the beginning of 2025. The report from the lab further indicates that more than half of SocksEscoter’s victims were based in the United States and the United Kingdom, underscoring the international scope of its illicit activities.
Chris Formosa, a senior lead information security engineer at Black Lotus Labs, suggested that the network’s substantial victim generation likely contributed to it becoming a target of law enforcement attention. “They were exclusively marketing to cybercriminals and nowhere else,” Formosa stated. He also noted that law enforcement access to backend infrastructure of such networks often yields valuable intelligence on other threat actors operating in the digital space.
The successful dismantling of SocksEscoter was the result of significant international cooperation. Agencies from Austria, Bulgaria, Eurojust, France, Germany, Hungary, the Netherlands, and Romania played crucial roles in the investigation and execution of the takedown. This multi-national effort highlights the global nature of the threat posed by cybercrime networks.
The next steps in this ongoing effort will involve further analysis of the seized infrastructure and cryptocurrency to identify the individuals behind SocksEscoter and their customers. Authorities have not yet announced any arrests, and it remains to be seen how this disruption will affect the landscape of cybercrime services that rely on residential proxy networks. Investigators will continue to monitor for any resurgence or replacement of similar illicit operations.