A global coalition of law enforcement agencies on Wednesday shut down a botnet made up of tens of thousands of hacked home and small business routers.
The operation targeted SocksEscort, which was built on a botnet of hacked routers that provided paid proxy services and was used to commit a variety of crimes, including hacking into victims' bank and cryptocurrency accounts and fraudulent unemployment insurance claims, according to an announcement released Thursday by the Department of Justice (DOJ). The Department of Justice said the crimes facilitated by SocksEscort cost Americans millions of dollars.
In announcing the operation, Europol said the SocksEscort botnet is suspected of having compromised more than 369,000 routers and Internet of Things devices in 163 countries, and infected routers were “disconnected from service.” Law enforcement said SocksEscort was used to facilitate the distribution of ransomware, distributed denial of service (DDoS) attacks, and child sexual abuse material (CSAM).
“Customers of criminal services paid license fees to exploit these infected devices, concealing their original IP addresses and engaging in various criminal activities,” Europol said. “If infected with malware, the modem owner will not know that his IP address has been used for illegal activities.”
The content of the SocksEscort official website has been replaced with a notice announcing the seizure as part of a law enforcement operation.
Black Lotus Labs, a cybersecurity firm that tracked SocksEscort and worked with law enforcement on the takedown operation, said the botnet had been comprised of about 280,000 routers since January last year and was powered by malware called AVRecon.
“This botnet posed a significant threat because it was sold only to criminals,” the company said in a post about the takedown. “Notably, more than half of the victims are located in the US or UK, allowing the attackers to conduct highly targeted operations.”
In 2023, Black Lotus Labs called SockEscort “one of the largest botnets in recent history targeting small office/home office (SOHO) routers.”
At the time, cybersecurity journalist Brian Krebs reported that SocksEscort started life in 2009 as a Russian-language service that sold access to thousands of hacked computers.