Authorities dismantle botnet built from tens of thousands of compromised routers

A worldwide coalition of law enforcement agencies on Wednesday took down a botnet comprising tens of thousands of hacked home and small-business routers.

The operation targeted SocksEscort, a paid proxy service built on a botnet of compromised routers that was used to commit a range of crimes, including intrusions into victims’ bank and cryptocurrency accounts and fraudulent unemployment insurance claims, according to an announcement published Thursday by the Department of Justice. The DOJ said the criminal activity enabled by SocksEscort cost Americans millions of dollars.

In its own statement on the operation, Europol said the SocksEscort botnet is believed to have compromised more than 369,000 routers and Internet of Things devices across 163 countries, adding that the infected routers “have been disconnected from the service.” Europol also said SocksEscort was used to enable ransomware attacks, distributed denial-of-service attacks, and the sharing of child sexual abuse material.

“Customers of the criminal service paid for licenses to abuse these infected devices, hiding their original IP addresses to engage in various criminal activities,” Europol said. “Upon infection with the malware, the modems’ owners would not be aware that their IP addresses were used for illegitimate activities.”

As part of the law enforcement action, the content of the official SocksEscort website was replaced with a seizure notice.

According to cybersecurity company Black Lotus Labs, which tracked SocksEscort and assisted law enforcement in the takedown, the botnet had consisted of around 280,000 routers since last January. It was powered by malware known as AVRecon.

“This botnet posed a significant threat, as it was marketed exclusively to criminals,” the company said in its post about the takedown. “Notably, over half of its victims were located in the United States or the United Kingdom, enabling attackers to conduct highly targeted operations.”

In 2023, Black Lotus Labs described SocksEscort as “one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history.”

At that time, cybersecurity journalist Brian Krebs reported that SocksEscort had originated in 2009 as a Russian-language service that sold access to thousands of hacked computers.