A large international law enforcement operation has jointly shut down SocksEscort, a proxy service used by cybercriminals around the world.
On the 11th of March 2026, the authorities from different countries around the world carried out a coordinated crackdown they called ‘Operation Lightning.’ The operation targeted a proxy platform called SocksEscort. The investigators say the website hijacked thousands of internet devices across the globe.
The action was coordinated by Europol with support from Eurojust and law enforcement agencies from countries including Austria, France, the Netherlands, and the United States.
Investigators said the proxy service hacked more than 369,000 routers and Internet of Things devices in 163 countries and also provided customers with access to more than 35,000 proxies over the past few years.
Also Read: Aave Glitch Sparks $26M Liquidations as wstETH Exchange Rate Plummetsz
During the day the officials got hold of the site, authorities seized 34 domains linked to the service and shut down 23 servers located in seven different countries. The U.S. officials also froze about $3.5 million worth of cryptocurrency connected to the operation.
The authorities also managed to disconnect the routers that powered the proxy network, and they have said that the next step will involve notifying affected countries and launching more investigations.
Investigators said the case first began in June 2025 after Europol’s Joint Task Force opened an investigation into the network.
Source: Europol
Based on the investigation, it was discovered that the operators of SocksEscort built a large botnet by infecting thousands of residential routers.
These compromised devices were then used to support several criminal activities, including ransomware attacks, distributed denial-of-service (DDoS) attacks, and the distribution of child sexual abuse material.
The exploiters were able to carry out their operations due to the vulnerability in residential modems from a specific brand. Once they managed to infect the malware, the devices became part of the botnet without the owners knowing.
Cybercriminals then used this unauthorized information to carry out their operations online. They got access to SocksEscort materials through a subscription system made through a special platform that allowed customers to pay anonymously using cryptocurrency.
Also Read: Hyperliquid Reports $1.98 Million Daily Fees, Leading DEX Sector
