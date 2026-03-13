US and European authorities said Thursday they had disrupted SocksEscort, a malicious proxy service used by cybercriminals to hide their identities while carrying out fraud, including cryptocurrency account takeovers.

The DOJ said the service compromised at least 369,000 routers and other internet-connected devices in 163 countries, giving cybercriminals control over proxies that hid their true IP addresses.

The platform reportedly enabled crimes, including bank fraud and cryptocurrency account takeovers, since 2020. In one case cited by prosecutors, a victim in New York lost roughly $1 million in cryptocurrency.

Authorities said they seized 34 domains, disrupted about two dozen servers across seven countries and froze about $3.5 million in cryptocurrency linked to the operation.

The network received at least $5.7 million from users

To access the proxy service, customers used a payment platform that allowed them to purchase it anonymously with cryptocurrency, according to a statement by Europol.

Investigators estimate that SocksEscort received at least 5 million euros ($5.7 million) from its users.

“Proxy services like ‘SocksEscort’ provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection,” Europol Executive Director Catherine De Bolle said.

“Operations like this show that when investigators connect the dots internationally, the infrastructure behind cybercrime can be exposed and shut down,” she added.

The operation involved agencies from multiple countries

The takedown was part of a coordinated international effort that included law enforcement agencies from Austria, France, the Netherlands, Germany, Hungary, Romania and the US.

The FBI Sacramento Field Office, the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service, and IRS Criminal Investigation Oakland Field Office were among the US agencies involved. Europol and Eurojust provided investigative and operational support for the cross-border operation.

The DOJ also acknowledged the assistance of Black Lotus Labs, the threat intelligence unit of the US telecom company Lumen Technologies, and the nonprofit organization Shadowserver Foundation, which provided technical intelligence during the investigation.

According to The Hacker News, SocksEscort relied on malware known as AVrecon, details of which were publicly documented by Black Lotus Labs in July 2023.

