A proxy service called SocksEscort has been found infecting thousands of routers from brands such as D-Link, Netgear, and TP-Link, and selling access to them to cybercriminals.
On Thursday, the US joined with Europol to shut down SocksEscort, which sold its services on the open internet for as little as $15 per month. However, investigators say the business was actually funneling the proxy traffic to hacked routers that SocksEscort had hijacked.
“Since the summer of 2020, SocksEscort has offered to sell access to about 369,000 different IP addresses,” the Justice Department says. “As of February 2026, the SocksEscort application listed approximately 8,000 infected internet routers to which its customers could buy access; of those, 2,500 were in the United States.”
SocksEscort compromised the devices with a Linux-based malware dubbed “AVrecon,” which cybersecurity provider Lumen Black Lotus Labs flagged in 2023. At the time, it was found to be infiltrating 70,000 devices, but that later increased to “20,000 distinct victims weekly,” with over half of the IP addresses located in the United States or the UK.
The FBI also notes: “SocksEscort uses AVrecon malware to target approximately 1,200 device models manufactured by Cisco, D-Link, Hikvision, MicroTik, Netgear, TP-Link, and Zyxel.”
(Credit: Internet Archive)
SocksEscort then leveraged the access by selling to cybercriminals, who used the proxy services to conceal their IP addresses and stage hacking activities from residential networks. The resulting fraud schemes raked in millions. One victim included a New York customer at a cryptocurrency exchange who lost $1 million; another victim was a “manufacturing business in Pennsylvania that was defrauded of $700,000.”
In addition, hackers on SocksEscort conducted romance scams, exploited website vulnerabilities, and attempted to hijack accounts through brute-force password attacks.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
The Justice Department said it “executed seizure warrants against a few dozen US-registered internet domains.” As a result, the main page for SocksEscort has been replaced with a seizure notice. Law enforcement agencies in Austria, France, and the Netherlands also took down numerous SocksEscort servers.
Europol adds that SocksEscort provided the proxies by allegedly compromising 369,000 devices in total, which included routers and Internet of Things products based in 163 countries. The agency also estimates SocksEscort raked in at least 5 million Euros ($5.7 million) from customers who paid in cryptocurrency.
Top 20 Most Represented Device Models
As part of the crackdown, the FBI issued an alert about the “AVrecon malware,” which the proxy service used to infect routers. The alert includes a list of the “Top 20 Most Represented Device Models,” at least some of which were introduced over a decade ago.
Recommended by Our Editors
(Credit: FBI)
The operators of SocksEscort spread the malware by scanning for IoT devices and routers with known vulnerabilities, and then exploiting them to gain remote access.
“Threat actors also modify the firmware to silently disable the device’s update and flashing features, making AVrecon extremely difficult to remove. These types of devices are essentially permanently infected with AVrecon,” the alert adds. “In other cases, AVrecon is deployed without a persistence mechanism. If an infected device is power cycled, it resets to a normal state and is no longer infected by AVrecon.”
Europol notes, “The infected modems used to offer the proxy service have been disconnected from the service,” following the server takedown. The FBI’s alert includes technical details to determine if a device was ever infected with the malware.
The agency adds: “If a device is considered EOL [end of life] by its manufacturer and is no longer supported, consider replacing the device with a model that is still receiving security updates.”
PCMag-Recommended Routers
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Read Full Bio
