Authorities Seize $3.5M in Crypto, Dismantle Global Fraud Network
A global law enforcement coalition including the U.S. Department of Justice and Europol has dismantled the SocksEscort malicious proxy service, freezing approximately $3.5 million in cryptocurrency. The action, codenamed "Operation Lightning," involved seizing 34 domains and disrupting 23 servers across seven countries. This takedown cripples a key piece of infrastructure that criminals used to anonymize their activities and execute financial fraud, including cryptocurrency account takeovers, since 2020.
Network Earned $5.7M by Hijacking 369,000 Devices
The SocksEscort service operated by infecting at least 369,000 routers and internet-connected devices in 163 countries with the AVrecon malware. This created a vast botnet, which the operators then rented out to criminals seeking to hide their true IP addresses. The platform generated an estimated €5 million ($5.7 million) in revenue, with criminals paying in cryptocurrency for anonymous access. The service directly enabled significant financial losses, including one instance where a New York-based victim was defrauded of roughly $1 million in cryptocurrency.
Proxy services like ‘SocksEscort’ provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection.
— Catherine De Bolle, Europol Executive Director.
The investigation, which began in June 2025, revealed that the AVrecon malware was sophisticated enough to flash custom firmware onto infected routers, permanently disabling update features and cementing its control over the device. This action disrupts a persistent and profitable criminal enterprise that victimized individuals and businesses on a global scale.
