A Global Operation Shuts Down Massive Botnet of Hacked Routers
In a coordinated effort, a global coalition of law enforcement agencies successfully dismantled a botnet consisting of tens of thousands of compromised home and small business routers. The operation targeted SocksEscort, a paid proxy service that utilized the botnet to carry out a range of criminal activities, including unauthorized access to individuals’ financial accounts and fraudulent unemployment insurance claims. The Justice Department revealed that the illicit operations facilitated by SocksEscort resulted in significant financial losses for American victims.
Europol, in its announcement of the operation, disclosed that the SocksEscort botnet had compromised over 369,000 routers and Internet of Things devices across 163 countries. The infected devices have now been disconnected from the malicious service. The agency further stated that the botnet was used to enable ransomware attacks, distributed denial of service (DDoS) attacks, and the distribution of child sexual abuse material (CSAM).
According to Europol, customers of the criminal service paid for licenses to exploit the infected devices, allowing them to conceal their true IP addresses while engaging in criminal activities. Owners of the compromised routers were unaware that their devices were being utilized for nefarious purposes.
Following the enforcement operation, the official website of SocksEscort was replaced with a notice confirming the seizure, signaling the end of the illicit proxy service.
The botnet, which had grown to approximately 280,000 routers by January, was driven by a malware strain known as AVRecon. Cybersecurity firm Black Lotus Labs, which closely monitored SocksEscort, collaborated with law enforcement in the takedown effort.
Black Lotus Labs described the botnet as a significant threat, targeting a clientele of criminals. Over half of the impacted victims were located in the United States and the United Kingdom, allowing attackers to execute highly targeted operations.
In a report from 2023, Black Lotus Labs labeled SocksEscort as one of the largest botnets focusing on small-office/home-office (SOHO) routers in recent memory. The cybersecurity community had been monitoring the activities of SocksEscort since its inception in 2009 as a Russian-language service offering access to compromised computers.
