Europol and international partners disrupt ‘SocksEscort’ proxy service
On 11th March 2026, Europol in collaboration with law enforcement agencies from Austria, France, the Netherlands, and the United States, alongside Eurojust, executed Operation Lightning. This coordinated effort targeted the malicious proxy service ‘SocksEscort’, which allegedly compromised over 369 000 routers and Internet of Things devices in 163 countries, and offered ‘SocksEscort’ customers over 35 000 proxies in recent years.
During the action day, law enforcement agencies successfully took down and seized 34 domains as well as 23 servers located in seven countries. In addition, the United States froze a total of USD 3.5 million in cryptocurrency. The infected modems used to offer the proxy service have been disconnected from the service. Following this takedown, law enforcement authorities will alert the affected countries, paving the way for further investigative initiatives.
Magnus Brunner
EU Commissioner for Internal Affairs and Migration
This operation demonstrates how crucial close international cooperation is in the fight against cybercrime. When European law enforcement authorities act together with partners across the Atlantic, we can effectively dismantle criminal networks and better protect our citizens. Europol plays a central role as a hub for information exchange and operational cooperation in confronting the increasingly global nature of cybercrime with determination.
Catherine De Bolle
Executive Director, Europol
Cybercrime thrives on anonymity. Proxy services like ‘SocksEscort’ provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection. By dismantling this infrastructure, law enforcement has disrupted a service that enabled cybercrime on a global scale. Operations like this show that when investigators connect the dots internationally, the infrastructure behind cybercrime can be exposed and shut down.
The investigation, which began in June 2025 with the opening of a case by Europol’s Joint Cyberaction Task Force (J-CAT), revealed that a botnet of infected devices was created. These devices, primarily residential routers, were exploited to facilitate various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM).
The compromised devices were infected through a vulnerability in the residential modems of a specific brand. Customers of the criminal service paid for licences to abuse these infected devices, hiding their original IP addresses to engage in various criminal activities. To protect against such exploits, users, and vendors are advised to update the firmware of their devices regularly.


I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.
