Operation Lightning Dismantles SocksEscort Proxy Network That Compromised 360,000 Routers
International law enforcement has taken down SocksEscort, a malicious proxy service that compromised over 360,000 routers and IoT devices worldwide since 2020 to facilitate cybercrime.
International law enforcement agencies have dismantled the SocksEscort malicious proxy service in a coordinated action dubbed Operation Lightning, seizing infrastructure that had compromised over 360,000 routers and IoT devices across 163 countries since 2020. The operation, announced on March 13, 2026, targeted a service that offered cybercriminals access to thousands of proxies to conceal their activities.
SocksEscort operated by infecting routers and IoT devices with malware that belonged to both businesses and individuals globally. The malware directed internet traffic through these compromised devices, allowing customers to mask their true IP addresses and locations. As of February 2026, the service listed approximately 8,000 infected routers available for purchase, with 2,500 of those located in the United States, according to a US Department of Justice statement.
The proxy service enabled a wide range of criminal activities, including bank account takeovers, cryptocurrency account fraud, and fraudulent unemployment insurance claims. It also facilitated ransomware attacks, distributed denial-of-service (DDoS) attacks, and the distribution of child sexual abuse material (CSAM). Customers accessed the service through a payment platform that allowed anonymous purchases using cryptocurrency, which received nearly $6 million from proxy service customers.
During the action day on March 11, law enforcement agencies seized 34 domains and 23 servers located across seven countries. The United States also froze $3.5 million in cryptocurrency linked to the operation. Agencies involved included those from the US, Austria, France, and the Netherlands, with coordination support from Eurojust and Europol, which hosted a Virtual Command Post at its headquarters in The Hague.
Lumen Technologies' Black Lotus Labs and the Shadowserver Foundation provided technical assistance during the investigation and takedown. The operation highlights the growing threat posed by residential proxy networks, which leverage compromised consumer devices to provide anonymity for cybercriminals at scale.
Router users and vendors are advised to regularly update device firmware to protect against such exploits. The takedown of SocksEscort represents a significant disruption to the cybercrime ecosystem, removing a key infrastructure component used by multiple threat actors to anonymize their attacks.