Ethical Hacking News
The US Department of Justice has disrupted a sophisticated cybercrime proxy network known as SocksEscort, which was powered by the AVRecon malware for Linux. The operation, which involved law enforcement agencies from Europe and private partners, resulted in the seizure of 34 domains and 23 servers, as well as the freezing of $3.5 million in cryptocurrency associated with the malicious activities carried out by the SocksEscort team. This disruption highlights the need for increased vigilance and cooperation to combat complex cybercrime operations.
The US Department of Justice disrupted a sophisticated cybercrime proxy network called SocksEscort with the help of European law enforcement agencies and private partners. The network, powered by AVRecon malware, had infected over 70,000 Linux-based routers and provided "clean" IP addresses to malicious users for over a decade. The operation resulted in the seizure of $3.5 million in cryptocurrency, freezing the financial infrastructure that supported SocksEscort's activities. The disruption highlights the need for increased cooperation between law enforcement agencies, cybersecurity firms, and individuals to combat complex cybercrime operations.
The US Department of Justice, along with law enforcement agencies from Europe and private partners, has successfully disrupted a sophisticated cybercrime proxy network known as SocksEscort. The network, which was powered solely by the AVRecon malware for Linux, had been operating for over a decade, providing malicious users with access to "clean" IP addresses from major ISPs such as Comcast, Spectrum, Verizon, and Charter.
According to Black Lotus Labs (BLL), a cybersecurity research firm that helped the US Department of Justice take down SocksEscort, the proxy network had a constant average of 20,000 infected devices every week for the past few years. This staggering number highlights the sheer scale of the operation, which was enabled by a unique combination of social engineering tactics and the AVRecon malware.
The AVRecon malware, which is believed to have been active since at least May 2021, infected over 70,000 Linux-based small office/home office (SOHO) routers by mid-2023. The malware was used to create a botnet that could be controlled remotely by the operators of SocksEscort.
The SocksEscort proxy network offered malicious users access to "clean" IP addresses from major ISPs, which were obtained through various means, including hijacking legitimate user sessions and exploiting vulnerabilities in residential routers. This allowed attackers to bypass blocklists and evade detection by security systems.
The US Department of Justice reported that the SocksEscort service was used in several high-profile cybercrime incidents, including the theft of $1 million worth of cryptocurrency from a user in New York, losses of $700,000 from defrauding a Pennsylvania-based manufacturing business, and causing $100,000 in damages to current and former US service members with MILITARY STAR cards.
In Europe, authorities from Austria, France, and the Netherlands took down multiple SocksEscort servers under the coordination of Europol. The operation resulted in the seizure of 34 domains and 23 servers located in seven countries.
As part of the disruption, law enforcement agencies also froze $3.5 million in cryptocurrency associated with the SocksEscort proxy network. This represents a significant blow to the financial infrastructure that supported the malicious activities carried out by the SocksEscort team.
In recent months, Lumen's Black Lotus Labs has been tracking a new botnet known as KadNap, which targets ASUS routers and other edge networking devices primarily. The KadNap botnet uses a novel but flawed communication and peer discovery mechanism based on the Kademlia Distributed Hash Table (DHT) protocol.
The disruption of SocksEscort highlights the need for increased vigilance and cooperation between law enforcement agencies, cybersecurity firms, and individuals to combat complex cybercrime operations. It also underscores the importance of staying up-to-date with the latest security patches and firmware updates to prevent exploitation by malicious actors.
As the landscape of cybersecurity threats continues to evolve, it is essential that individuals and organizations remain informed and proactive in their approach to mitigating these risks. By leveraging cutting-edge technologies and working together, we can create a safer and more secure digital environment for all.
Related Information:
https://www.ethicalhackingnews.com/articles/US-Disrupts-SocksEscort-Proxy-Network-Powered-by-Linux-Malware-A-Complex-Cybercrime-Operation-Exposed-ehn.shtml
Published: Thu Mar 12 12:08:46 2026 by llama3.2 3B Q4_K_M
