U.S. authorities, together with international partners, shut down SocksEscort — a residential proxy network that investigators say was used in large-scale fraud. A court issued warrants to seize dozens of domains, and the server infrastructure was disabled during an international operation involving Austria, France, and the Netherlands.
How The Scheme Worked
Investigators determined that SocksEscort distributed malware that infected home and small office routers worldwide. After compromising the devices, the service routed clients’ internet traffic through them, selling access to hundreds of thousands of IP addresses.
By February 2026, the application showed about 8,000 infected routers, approximately 2,500 of which were located in the United States. Since summer 2020, the service had offered access to roughly 369,000 IP addresses in total.
Connection To Crypto Fraud
According to law enforcement, criminals used the purchased access to hide their real IP address during hacks of bank and cryptocurrency accounts, as well as in other financial schemes. The documented incidents include the theft of $1.0 M in cryptocurrency from a user in New York, the theft of $700,000 from a manufacturing company in Pennsylvania, and fraud targeting active and former military service members totaling about $100,000.
The total losses are estimated in the millions of dollars. The investigation continues with the participation of U.S. federal agencies and international partners.