A global coalition of law enforcement agencies shut down a botnet made of tens of thousands of hacked home and small-business routers on Wednesday, targeting the SocksEscort proxy service. The operation removed infected devices from a criminal proxy network that the Department of Justice said enabled crimes that cost Americans millions of dollars. Law enforcement actions included seizures and disruption of the service’s infrastructure worldwide.
How the botnet worked and what was seized
Authorities moved against SocksEscort after investigators linked the paid proxy service to a sprawling network of compromised modems and Internet of Things devices that routed criminal traffic. Europol said the operation targeted a network that allegedly compromised more than 369, 000 routers and Internet of Things devices across 163 countries and that the infected routers “have been disconnected from the service. ” The Department of Justice said the botnet-backed proxy service was used to hack bank and cryptocurrency accounts and to file fraudulent unemployment insurance claims, among other crimes, and that those activities cost Americans millions of dollars.
Cybersecurity firm Black Lotus Labs, which tracked SocksEscort and worked with law enforcement, said the botnet was powered by malware called AVRecon and wrote, “This botnet posed a significant threat, as it was marketed exclusively to criminals. ” Black Lotus Labs also said the network had been composed of around 280, 000 routers since last January. As part of the operation, the content of the SocksEscort official website was replaced by a notice announcing the seizure and infrastructure such as domains and servers was targeted for takedown.
Immediate reactions
FBI Deputy Assistant Director Jason Bilnoski said, “SocksEscort is responsible for tens of millions of dollars in losses due to activity such as ransomware, ad fraud, account takeovers, identity theft, business email compromises, romance scams, and password spraying, among many others. ” Europol highlighted the criminal business model behind the service, noting, “Customers of the criminal service paid for licenses to abuse these infected devices, hiding their original IP addresses to engage in various criminal activities. ” Black Lotus Labs emphasized the scale and targeting risk, writing that over half of victims were located in the United States or the United Kingdom, enabling highly targeted operations.
What’s next
Investigators said the seizures and disconnections will support further probes into downstream criminals who purchased access to the network and used the botnet for fraud and other abuses. Law enforcement agencies signaled that servers, domains, and frozen assets tied to the service will be examined to develop additional charges and trace the criminal customer base. Observers expect follow-on activity as authorities pursue evidence from seized infrastructure and continue to dismantle remaining elements of the proxy ecosystem that enabled this criminal enterprise.
