Overview
- FBI and European partners in Austria, France, and the Netherlands took down 34 domains and 23 servers across seven countries under Operation Lightning, replacing the site with a seizure notice.
- Authorities say infected routers were disconnected from the service, with the U.S. also freezing about $3.5 million in cryptocurrency tied to the operation.
- SocksEscort sold access to roughly 369,000 IP addresses since 2020 and listed about 8,000 infected routers in February 2026, including 2,500 in the United States; the FBI cites about 124,000 customers.
- The network ran on AVRecon malware infecting SOHO routers, with Black Lotus Labs tracking around 280,000 unique victim IPs since early 2025 and noting over half of infections in the U.S. or U.K.
- The DOJ links the proxy service to concrete losses including $1 million in stolen cryptocurrency, $700,000 from a defrauded manufacturer, and $100,000 in fraud affecting U.S. service members, while Europol cites use for ransomware, DDoS, and CSAM distribution.