Global Malware Proxy Network Dismantled
International law enforcement agencies have dismantled a large cybercriminal proxy network known as SocksEscort that was used to facilitate fraud, hacking, and cryptocurrency theft.
Authorities seized 34 domains and 23 servers linked to the network and froze approximately $3.5 million in cryptocurrency connected to the operation.
The takedown was part of an international law enforcement effort known as Operation Lightning.
Malware-Infected Routers Used as Proxy Infrastructure
The SocksEscort service operated by infecting home internet routers with malware.
Once compromised, the routers were used as part of a global proxy network that allowed cybercriminals to hide their true location while conducting illegal activities.
Access to the infected devices was reportedly sold to criminals who used the infrastructure to conduct hacking operations, including attacks targeting cryptocurrency wallets.
According to investigators, the network routed traffic through hundreds of thousands of infected IP addresses around the world.
Hundreds of Thousands of IP Addresses Involved
Authorities said the network utilized more than 369,000 IP addresses across 163 countries since 2020.
This massive infrastructure allowed cybercriminals to conduct fraud, bypass security systems, and obscure their identities during cyberattacks.
The scale of the network highlights the growing role of compromised consumer devices in global cybercrime operations.
Crypto Theft Among the Crimes Linked to the Network
Several victims were identified in connection with crimes carried out through the proxy infrastructure.
Among them:
- A New York resident reportedly lost approximately $1 million in cryptocurrency.
- A Pennsylvania company suffered losses of around $700,000.
- U.S. military personnel were defrauded of roughly $100,000.
Authorities say the proxy service enabled criminals to carry out a wide range of fraud schemes while masking their location.
Massive International Law Enforcement Operation
The takedown involved coordination between multiple international agencies.
Participating organizations included the FBI, the IRS Criminal Investigation division, Europol, Eurojust, and national police forces from several European countries including Austria, Bulgaria, France, Germany, Hungary, the Netherlands, and Romania.
The operation represents one of the larger coordinated efforts targeting cybercrime infrastructure used in crypto-related fraud.
BTCUSA Insight
The SocksEscort takedown highlights how cryptocurrency crime often depends on broader cybercrime infrastructure rather than blockchain vulnerabilities themselves.
Proxy networks, malware-infected devices, and anonymization services are frequently used by attackers to hide their identities while targeting crypto wallets and exchanges.
As law enforcement agencies increase cooperation across borders, these infrastructure-level takedowns may become a more common strategy in combating large-scale crypto fraud.`
