Authorities Shut Down Malicious Proxy Network Used to Spread Malware

A coordinated international law enforcement operation has dismantled a large malicious proxy service known as SocksEscort, which was used by cybercriminals to hide their identities while carrying out large-scale financial fraud and cybercrime.

The operation was led by the U.S. Department of Justice (DOJ) and involved multiple global law enforcement agencies.

Authorities say the network infected thousands of internet routers worldwide with malware and allowed criminals to route their traffic through these compromised devices.

This enabled attackers to disguise their true locations and carry out fraud attacks that caused millions of dollars in financial losses to individuals, businesses, and financial institutions in the United States.

Malware-Infected Routers Used as Proxy Network

According to court documents, the SocksEscort operation targeted home and small business routers. Malware was installed on vulnerable devices, turning them into nodes in a large residential proxy network.

Once infected, these routers could secretly forward internet traffic for paying customers of the SocksEscort service.

This setup allowed cybercriminals to conduct illegal activity using the IP addresses of compromised routers, making their actions appear legitimate and harder for investigators to trace.

Since summer 2020, SocksEscort has reportedly offered access to approximately 369,000 IP addresses across the globe.

As of February 2026, the service still had about 8,000 infected routers available, including 2,500 located in the United States.

Investigators say criminals used the SocksEscort proxy network to support a variety of cyber-enabled fraud schemes.

By masking their real IP addresses, attackers could bypass security systems designed to detect suspicious login attempts or abnormal geographic activity.

Some of the crimes linked to the network include:

• Bank and cryptocurrency account takeovers
• Fraudulent unemployment insurance claims
• Financial scams targeting individuals and businesses

Authorities highlighted several major cases connected to the operation:

• A New York cryptocurrency exchange customer lost approximately $1 million in digital assets.
• A manufacturing company in Pennsylvania was defrauded of about $700,000.
• Current and former U.S. service members with MILITARY STAR cards lost nearly $100,000 through fraudulent transactions.

Officials say these incidents represent only a portion of the financial damage caused by the network.

International Operation Disrupts Infrastructure

The disruption operation involved multiple international law enforcement partners. Authorities in Austria, France, and the Netherlands successfully seized and shut down several SocksEscort servers.

In the United States, investigators executed court-authorized seizure warrants against dozens of domains believed to be connected to the criminal proxy service.

The investigation was led by the FBI Sacramento Field Office, with support from:

• Department of Defense Office of Inspector General – Defense Criminal Investigative Service
• IRS Criminal Investigation (Oakland Field Office)

Additional assistance came from Europol, Eurojust, and law enforcement agencies in several countries, including Germany, Hungary, Romania, Bulgaria, and Austria.

Cybersecurity organizations also played a critical role in identifying and tracking the malicious infrastructure.

The DOJ credited Lumen’s Black Lotus Labs and the Shadowserver Foundation for providing technical intelligence that helped investigators disrupt the network.

The Justice Department also worked with its International Computer Hacking and Intellectual Property (ICHIP) program to coordinate cybercrime investigations across multiple jurisdictions.

Officials say the takedown highlights the growing threat posed by residential proxy networks powered by compromised devices.

Such networks are increasingly used by cybercriminals to evade detection and launch fraud, credential theft, and other malicious campaigns.

The investigation remains ongoing, and authorities continue to analyze the infrastructure to identify those responsible for operating the SocksEscort network.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Authorities Shut Down Malicious Proxy Network Used to Spread Malware appeared first on Cyber Security News.