US and European Authorities Disrupt socksEscort Proxy Service Tied to AVrecon Botnet

The AVrecon botnet, first identified in 2021, has quietly built a global network of compromised SOHO routers and IoT devices. Written in C for ARM architectures, the malware exploits firmware flaws in residential modems, turning each router into a low‑cost proxy node. By bundling these hijacked IP addresses into the SocksEscort service, cybercriminals offered anonymity to buyers, enabling ransomware, DDoS attacks, and illicit content distribution. At its peak the botnet controlled roughly 369,000 devices in 163 countries, supplying more than 35,000 active proxies to a subscription‑based clientele.

Operation Lightning, coordinated by Europol with U.S. DOJ and several European law‑enforcement agencies, struck in March 2026. Investigators seized 34 domains and 23 servers across seven nations, disconnected infected routers, and froze roughly $3.5 million in cryptocurrency tied to the service’s €5 million revenue stream. The takedown disrupted a lucrative business model that charged criminals for proxy licences, with documented losses of $1 million to a crypto investor and $700 k to a manufacturing firm. By dismantling the command‑and‑control infrastructure, authorities removed a critical layer of anonymity that underpinned ransomware campaigns and fraud schemes worldwide.

The disruption underscores the growing risk posed by insecure consumer‑grade networking equipment. Vendors must accelerate firmware patch cycles and adopt secure‑by‑design principles, while users should enable automatic updates and change default credentials. Law‑enforcement success also highlights the value of cross‑border intelligence sharing; similar collaborative frameworks could target emerging threats such as cryptomining botnets and AI‑driven phishing kits. For enterprises, monitoring outbound traffic for proxy‑like patterns and employing network‑level threat‑intel feeds can help detect compromised edge devices before they are monetized by criminal services.