Law enforcement shuts down a botnet of tens of thousands of compromised routers

A global coalition of law enforcement agencies shut down a botnet of tens of thousands of compromised home and small business routers on Wednesday.

The operation targeted SocksEscort, which offers paid proxy services and was built on a botnet of compromised routers used to commit various crimes, such as hacking into victims’ bank and cryptocurrency accounts and filing fraudulent unemployment insurance claims, according to an announcement published by the Department of Justice (DOJ) on Thursday. The Justice Department said crimes facilitated by SocksEscort cost Americans millions of dollars.

Europol said in announcing the operation that the SocksEscort botnet had compromised more than 369,000 routers and IoT devices in 163 countries, and that the infected routers had been “taken out of service.” The law enforcement agency said SocksEscort was used to facilitate ransomware, distributed denial of service (DDoS) attacks, and distribution of child sexual abuse material (CSAM).

“Criminal service agents paid for licenses to misuse these infected devices, hiding their original IP addresses to engage in various criminal activities,” Europol said. “When infected with malware, modem owners will not realize that their IP addresses have been used for illicit activities.”

The content of SocksEscort’s official website has been replaced with a notice announcing the seizure, as part of the law enforcement operation.

The botnet has consisted of about 280,000 routers since last January, and was powered by malware called AVRecon, according to cybersecurity firm Black Lotus Labs, which tracked SocksEscort and worked with law enforcement on the takedown.

“This botnet posed a significant threat, as it was marketed exclusively to criminals,” the company wrote in its post about the takedown. “It is worth noting that more than half of its victims were located in the United States or the United Kingdom, which enabled the attackers to carry out highly targeted operations.”

In 2023, Black Lotus Labs described SocksEscort as “one of the largest botnets targeting small office/home office (SOHO) routers seen in modern history.”

At the time, cybersecurity journalist Brian Krebs reported that SocksEscort was born in 2009 as a Russian-language service that sold access to thousands of hacked computers.