A global coalition of law enforcement agencies shut down a botnet consisting of tens of thousands of hacked home and small business routers on Wednesday.
The business targeted SocksEscort, which paid proxy service is offered and built into a botnet of hacked routers used to commit various crimes, including hacking victims’ bank accounts and cryptocurrencies and submitting fraudulent unemployment insurance claims; according to a statement published Thursday by the Department of Justice (DOJ). The DOJ said the crimes facilitated by SocksEscort cost Americans millions of dollars.
Europol states in its announcement for the operation that the SocksEscort botnet has allegedly compromised more than 369,000 routers and Internet of Things devices in 163 countries and that the infected routers have been “disconnected from service.” The law enforcement agency said SocksEscort was used to facilitate ransomware, distributed denial of service (DDoS) attacks and the distribution of child sexual abuse material (CSAM).
“Criminal clients paid for licenses to abuse these infected devices, hiding their original IP addresses to engage in various criminal activities,” Europol said. “With the malware infection, the owners of the modems would not know that their IP addresses were being used for illegal activities.”
The content of SocksEscort official website was superseded by notice announcing the seizure, as part of the law enforcement operation.
The botnet consisted of around 280,000 routers as of last January and was powered by malware called AVRecon. according to cybersecurity firm Black Lotus Labswhich SocksEscort monitored and cooperated with law enforcement in the takedown operation.
“This botnet posed a significant threat as it was made available exclusively to criminals,” the company wrote in its post about the takedown. “Notably, over half of its victims were located in the United States or the United Kingdom, allowing attackers to conduct highly targeted operations.”
In 2023, Black Lotus Labs called SocksEscort “one of the largest botnets targeting small office/home office (SOHO) routers seen in recent history.”
At the time, cybersecurity reporter Brian Krebs was mentioned that SocksEscort was born in 2009 as a Russian-language service that sold access to thousands of hacked computers.
