Federal agents say they have yanked the plug on SocksEscort, a long-running residential proxy service that secretly turned home and small-business routers into covert traffic relays. In an international, court-authorized operation, investigators targeted domains and servers tied to the network in a bid to shut off a favorite tool for criminals trying to hide the origins of account takeovers and other big-money fraud.
How investigators say the network worked
According to a press release from the U.S. Attorney's Office for the Eastern District of California, agents executed seizure warrants against "a few dozen" U.S.-registered internet domains linked to SocksEscort. Prosecutors say the platform, which has been on the market since the summer of 2020, advertised access to roughly 369,000 distinct IP addresses.
The same release notes that as of February 2026, the SocksEscort application showed about 8,000 infected routers available for purchase, roughly 2,500 of them in the United States. Criminals allegedly rented that access to obscure the true origin of account takeovers, unemployment-insurance fraud, and other schemes that collectively cost Americans millions of dollars.
AVrecon and the malware behind the proxies
Security researchers have tied the proxy service to AVRecon, a Linux-based remote-access trojan aimed at small-office and home-office routers that quietly harvests bandwidth to build proxy pools. Lumen Black Lotus Labs documented AVRecon's infrastructure and reach in 2023, and reporting by KrebsOnSecurity traced AVRecon command-and-control servers back to SocksEscort.
Fraud examples and international cooperation
The DOJ release lays out some of the alleged damage: a New York resident saw a cryptocurrency account drained of about $1 million, a Pennsylvania manufacturer lost around $700,000, and current and former U.S. service members were hit for about $100,000 through fraud involving Military Star cards.
Authorities credited partners in Austria, France, and the Netherlands with knocking out numerous SocksEscort servers. On the U.S. side, investigators include the FBI Sacramento Field Office, the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service, and IRS Criminal Investigation in Oakland, with Assistant U.S. Attorneys in the Eastern District of California handling the litigation.
How to check your router
Researchers warn that infections can be extremely quiet and might not noticeably slow your internet, so a smooth connection does not mean your gear is clean. Security teams advise updating router firmware, changing default admin passwords, disabling remote-management features, and, when incident responders recommend it, power-cycling devices to wipe in-memory malware and restore a clean session. They also urge network owners to review logs and block suspicious outbound traffic.
FBI Los Angeles highlighted the disruption on X and shared a link for submitting tips. The bureau's post and the DOJ announcement both note that the investigation is still active and that anyone who suspects they were targeted should contact their local FBI field office or follow the instructions in the agency's notice.
