The U.S. Department of Justice and Europol have dismantled the "SocksEscort" botnet, a proxy network that infected approximately 369,000 home routers and IoT devices across 163 countries over 16 years. The network was used to facilitate a range of criminal activities, including financial fraud, ransomware, and the distribution of illegal material, costing U.S. victims millions of dollars.
Authorities seized 34 domains, 23 servers, and $3.5 million in cryptocurrency as part of the takedown. The article concludes by warning about the persistent security vulnerabilities in common internet-connected devices and advising users to keep their devices updated.
The main topics covered are the botnet's dismantling, its scale and criminal uses, the law enforcement actions taken, and the underlying security vulnerabilities in consumer IoT devices.
DoJ dismantles botnet made of 360,000 infected routers and IOT devices spread across 163 countries that ran for 16 years — SocksEscort proxy network eliminated in joint operation with Europol
Network ran for 16 years and was host to all sorts of nasty criminal mischief.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
You are now subscribed
Your newsletter sign-up was successful
Hot on the heels of the LeakBase takedown, the combined might of the U.S. Department of Justice and Europol brought down another gigantic botnet, the SocksEscort proxy network, in an effort spanning a total of nine countries.
The enterprise ran for an estimated 16 years, with its inception circa 2010, infecting a grand total of 369,000 devices across its lifetime. The botnet comprised mostly home routers, access points, and IoT devices across 163 countries.
As is commonplace for this type of operation, SocksEscort sold access to infected devices, allowing cyber-criminals to run attacks from a multitude of worldwide locations at once, making the attack hard to block as well as hiding their identities behind those of unsuspecting folks.
Article continues belowAccording to the U.S. DoJ, the network had about 8,000 routers as of February 2026, of which 2,500 were in the United States. The botnet facilitated multiple criminal activities, including taking over U.S. bank and cryptocurrency accounts, fraudulent insurance claims, ransomware distribution, DDoS attacks, and even the distribution of child sexual abuse material (CSAM).
The DoJ estimates that the fraud costs U.S. citizens millions of dollars, and cites specific examples like a New York cryptocurrency customer losing $1 million, a Pennsylvania business losing $700,000, and multiple Military Star card holders conned out of $100,000. The takedown also included a number of seizures. Europol nabbed 34 domains associated with the network and 23 servers across seven countries, while the U.S. seized $3.5 million worth of cryptocurrency.
As experts have been warning for decades, home routers and all sorts of "smart" home devices are a veritable playground for the criminally minded. Not only do they often arrive in the market with egregious security vulnerabilities, but many manufacturers also drop software support after a short timespan. The fact that the average user is not aware of what a firmware update is, much less how to run one, doesn't help matters — nor are they supposed to.
As always, we recommend readers keep tabs on all internet-connected devices, keep them up to date whenever possible, and avoid connecting them to the internet to begin with, unless absolutely necessary.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
Bruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.
Meridiano
