DOJ, Europol Freeze $3.5M Crypto in SocksEscort Network Bust

The SocksEscort proxy network is gone — dismantled March 11 by a coordinated strike from Europol, the U.S. Department of Justice, and law enforcement agencies across eight countries. Authorities froze $3.5 million in cryptocurrency tied to the operation and seized the infrastructure behind what investigators described as a global cybercrime-for-hire service that had quietly infected hundreds of thousands of devices worldwide.

What Was SocksEscort and How Big Was It?

A botnet hiding in plain sight

At its peak, the SocksEscort proxy network had compromised more than 369,000 routers and Internet of Things devices across 163 countries, turning ordinary home and small-business hardware into anonymous relay points for paying criminals. Europol says the service offered over 35,000 active proxies at various points — a full commercial marketplace for masked internet traffic.

The botnet primarily targeted residential routers. That's the part that makes this particularly ugly. Your neighbor's router — or yours — could have been rented out to ransomware gangs and fraudsters without either of you ever knowing.

By dismantling this infrastructure, law enforcement has disrupted a service that enabled cybercrime on a global scale. Operations like this show that when investigators connect the dots internationally, the infrastructure behind cybercrime can be exposed and shut down.

What Did Operation Lightning Actually Seize?

Named Operation Lightning, the March 11 action was coordinated through Europol's Joint Cyberaction Task Force, which launched the investigation back in June 2025. The haul: 34 domains, 23 servers taken offline across seven countries, and a payment platform that Europol estimates had processed more than $5.7 million (€5 million) in crypto over its lifetime.

U.S. prosecutors — specifically the Eastern District of California — noted that as recently as February 2026, the SocksEscort application still listed roughly 8,000 infected routers available for use, including around 2,500 inside the United States. The service was still actively running when they pulled the plug.

Who Got Hurt — and Why Does This Matter for Crypto Holders?

Criminals leaning on the SocksEscort network used the proxy cover to mask where attacks were coming from — enabling bank and crypto account takeovers, fraudulent unemployment claims, and ransomware deployments. Federal prosecutors documented specific victim losses: a New York crypto exchange customer robbed of $1 million in digital assets, a Pennsylvania manufacturer hit for $700,000, and current and former military service members collectively defrauded of $100,000.

If you hold crypto on any centralized exchange, account takeover fraud is the exact threat vector that keeps security teams up at night. Proxies like SocksEscort let attackers spoof their location — they're a core tool in making stolen credentials look like they're coming from the account owner's home IP. The DOJ's Eastern District of California complaint lays out exactly how this worked in practice.

The broader criminal uses went beyond financial theft. Europol's investigation confirmed the network also facilitated DDoS attacks and the distribution of child sexual abuse material — which explains the multi-agency, multi-country urgency behind the operation.