A New York resident lost close to $1 million in cryptocurrency. That single case became one of the clearest examples of the damage done by SocksEscort — a for-hire proxy service that gave criminals across the globe a way to hide while they stole.
A Network Built On Hijacked Devices
US and European authorities announced Thursday they had shut down SocksEscort after years of operation. The service worked by infecting routers and other internet-connected devices with malware, turning them into cover points that masked the real locations of cybercriminals.
According to the Department of Justice, the network had quietly burrowed into at least 369,000 devices spread across 163 countries. Criminals could then route their attacks through those compromised machines, making them far harder to trace.
The malware at the heart of the operation — known as AVrecon — had been publicly identified by cybersecurity firm Black Lotus Labs as far back as July 2023. The network kept running anyway.
Source: DOJ
The takedown was not a single agency effort. Law enforcement from Austria, France, Germany, Hungary, the Netherlands, Romania, and the US worked the case together.
On the American side, the FBI’s Sacramento Field Office, the IRS Criminal Investigation Oakland Field Office, and the Department of Defense’s Defense Criminal Investigative Service all had a hand in it.
Europol and Eurojust provided cross-border coordination support. Black Lotus Labs and the nonprofit Shadowserver Foundation supplied technical intelligence that helped investigators connect the dots.
Criminals Paid In Crypto To Stay Anonymous
SocksEscort did not just attract individual bad actors. It ran like a business. Customers paid to access the service, and they did so anonymously — using cryptocurrency to avoid leaving a financial trail.
Based on reports from Europol, the platform pulled in at least 5 million euros, roughly $5.7 million, from its paying users over the course of its run.
Authorities were ultimately able to seize 34 domains, take down about two dozen servers operating across seven countries, and freeze approximately $3.5 million in crypto tied to the operation.
Europol Executive Director Catherine De Bolle said proxy services of this kind give criminals the cover to carry out attacks, move illegal content, and dodge detection. She credited the international cooperation for exposing the infrastructure behind it.
Fraud Stretched From Bank Accounts To Crypto Wallets
The crimes enabled by SocksEscort went beyond any single method. Officials linked the network to bank fraud and cryptocurrency account takeovers dating back to 2020.
The New York victim’s case stood out for its scale, but reports indicate the damage was spread across multiple countries and target types.
Featured image from Pexels, chart from TradingView
