DOJ and Europol Take Down SocksEscort Crypto Fraud Network

SocksEscort, the criminal proxy service that quietly turned hundreds of thousands of ordinary home routers into cybercrime cover, is finished. On Thursday, the US Department of Justice and Europol announced a coordinated international takedown, seizing infrastructure across seven countries and freezing $3.5 million in cryptocurrency tied to the operation — a network that had been enabling bank fraud and crypto account takeovers since at least 2020.

How Did SocksEscort Actually Work?

The service was built on deception from the ground up. SocksEscort infected routers and internet-connected devices with AVrecon malware, turning unwitting device owners into involuntary nodes inside a criminal proxy network. Black Lotus Labs — the threat intelligence arm of US telecom company Lumen Technologies — had publicly documented AVrecon back in July 2023, but the operation kept running.

Customers paid for proxy access anonymously, using cryptocurrency to obscure their identities. Europol confirmed the platform received at least 5 million euros — roughly $5.7 million — from its users over the years it operated. The whole point was to give cybercriminals a clean IP address: the kind that doesn't trace back to them when banks or crypto exchanges check login locations.

In one case prosecutors highlighted, a victim in New York lost approximately $1 million in crypto through account takeovers that the proxy network helped facilitate. That's not abstract harm. That's someone's retirement, their bag, their everything — routed through someone else's hacked router before it disappeared.

Proxy services like 'SocksEscort' provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection.

Eight Countries, One Coordinated Hit

The SocksEscort takedown involved law enforcement from Austria, France, the Netherlands, Germany, Hungary, Romania, and the US — with Europol and Eurojust coordinating across borders. On the US side, the FBI Sacramento Field Office, the Department of Defense Office of Inspector General's Defense Criminal Investigative Service, and IRS Criminal Investigation Oakland Field Office all had a hand in the operation.

Authorities seized 34 domains, disrupted around 23 servers spread across seven countries, and froze the $3.5 million in cryptocurrency linked to the network. Black Lotus Labs and the nonprofit Shadowserver Foundation both provided technical intelligence that helped investigators map and ultimately dismantle the infrastructure.

De Bolle added that the operation proved international coordination can expose and shut down criminal infrastructure — when investigators actually connect the dots across borders.

Why Should Crypto Holders Care About This?

Here's the part most coverage skips: your router might have been part of this. The Europol cybercrime proxy service investigation confirmed that 369,000 devices across 163 countries were compromised — meaning regular people with no idea their hardware was involved were essentially providing criminal cover for crypto heists and bank fraud.

The bigger issue is what networks like SocksEscort reveal about crypto's role in criminal infrastructure. The service was funded by crypto, it enabled crypto theft, and the frozen proceeds were seized in crypto. Law enforcement caught up — this time. But the core mechanic, anonymous crypto payments buying anonymous proxy access, isn't going away. The next version of this operation is already running somewhere.