In brief
- Europol and partners announced the disruption of the “SocksEscort” malicious proxy service and the freezing of $3.5 million in cryptocurrency linked to the operation.
- The network allegedly compromised more than 369,000 routers and IoT devices and offered customers more than 35,000 proxies.
- The U.S. DOJ said the service enabled fraud including bank and crypto account takeovers, citing a New York victim allegedly defrauded of $1 million in crypto.
European and U.S. authorities have announced the dismantling of a major malicious proxy operation tied to malware-infected home and small-business routers, freezing $3.5 million in cryptocurrency and seizing infrastructure used to support fraud.
Europol said the March 11 action, named Operation Lightning, targeted the “SocksEscort” service, which it said had compromised over 369,000 routers and Internet of Things devices across 163 countries and offered users more than 35,000 proxies in recent years.
🚨 Servers used for cybercrime around the world taken down
⚖️ Authorities from eight countries targeted a website allegedly offering IP proxy services for cybercriminals in 102 countries.
👉 https://t.co/oOqRlIZgdt pic.twitter.com/QHhCSC7Qlo
— Eurojust (@Eurojust) March 12, 2026
According to Europol, law enforcement seized 34 domains and 23 servers across seven countries, while U.S. authorities froze $3.5 million in crypto linked to the case. Europol also said that a payment platform linked to the service is estimated to have received more than $5.7 million (€5 million) in cryptocurrency.
The investigation, which began in June 2025 under Europol’s Joint Cyberaction Task Force, uncovered a botnet of infected devices, mainly residential routers, exploited to facilitate criminal activities including ransomware, DDoS attacks, and the distribution of child sexual abuse material.
In a parallel announcement, the U.S. Attorney’s Office for the Eastern District of California said that the SocksEscort application had listed about 8,000 infected routers as of February 2026, including around 2,500 in the United States. U.S. law enforcement alleged that criminals used proxy access to mask origin locations for schemes including bank and crypto account takeovers and fraudulent unemployment claims.
Federal prosecutors cited multiple alleged victim losses, including a New York crypto exchange customer reportedly defrauded of $1 million in digital assets, a Pennsylvania manufacturer that allegedly lost $700,000, and current and former military service members allegedly defrauded of $100,000.
“By dismantling this infrastructure, law enforcement has disrupted a service that enabled cybercrime on a global scale,” Europol Executive Director Catherine De Bolle said in a statement, adding that, “Operations like this show that when investigators connect the dots internationally, the infrastructure behind cybercrime can be exposed and shut down.”