Law enforcement agencies worldwide dismantled a botnet formed by tens of thousands of compromised routers on Wednesday. The crackdown focused on SocksEscort, a service providing paid proxy solutions using a botnet of hacked routers to commit various crimes, including bank and cryptocurrency account hacks and fraudulent unemployment claims, according to a Justice Department announcement. The crimes facilitated by SocksEscort resulted in multimillion-dollar losses in the U.S.
Europol stated the botnet affected over 369,000 routers and IoT devices in 163 countries, disconnecting the infected routers from the network. The service was used for criminal activities such as ransomware and DDoS attacks, and to distribute illegal materials. Europol mentioned that customers paid to misuse these devices, unaware of the illicit use of their IP addresses.
The SocksEscort website now displays a notice of its seizure. Since January, the botnet consisted of around 280,000 routers, backed by AVRecon malware, as per Black Lotus Labs, which aided in the takedown. Black Lotus Labs noted the botnet’s significant threat due to its exclusive marketing to criminals, with over half its victims in the U.S. and U.K., allowing targeted attacks.
In 2023, Black Lotus Labs identified SocksEscort as one of the largest botnets targeting small-office/home-office routers in recent history. Brian Krebs reported the service’s origins in 2009 as a Russian-language platform selling access to numerous hacked computers.