A global coalition of law enforcement agencies shut down a botnet made of tens of thousands of hacked home and small business routers on Wednesday.
The operation targeted SocksEscort, which offered paid proxy services and was built on a botnet of hacked routers used to commit various crimes, such as hacking into victims’ bank and cryptocurrency accounts and filing fraudulent unemployment insurance claims, according to an announcement published on Thursday by the Department of Justice (DOJ). The DOJ said the crimes facilitated by SocksEscort cost Americans millions of dollars.
Europol said in its announcement of the operation that the SocksEscort botnet allegedly compromised more than 369,000 routers and Internet of Things devices in 163 countries and that the infected routers “have been disconnected from the service.” The law enforcement agency said SocksEscort was used to facilitate ransomware, distributed denial of service (DDoS) attacks, and the distribution of child sexual abuse material (CSAM).
“Customers of the criminal service paid for licenses to abuse these infected devices, hiding their original IP addresses to engage in various criminal activities,” said Europol. “Upon infection with the malware, the modems’ owners would not be aware that their IP addresses were used for illegitimate activities.”
The content of the SocksEscort official website was replaced by a notice announcing the seizure, as part of the law enforcement operation.
The botnet was composed of around 280,000 routers since last January and was powered by malware called AVRecon, according to cybersecurity firm Black Lotus Labs, which tracked SocksEscort and worked with law enforcement in the takedown operation.
“This botnet posed a significant threat, as it was marketed exclusively to criminals,” the company wrote in its post about the takedown. “Notably, over half of its victims were located in the United States or the United Kingdom, enabling attackers to conduct highly targeted operations.”
In 2023, Black Lotus Labs called SocksEscort “one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history.”
At the time, cybersecurity journalist Brian Krebs reported that SocksEscort was born in 2009 as a Russian-language service selling access to thousands of hacked computers.
