Overview
- Authorities seized 34 domains and 23 servers across seven countries, froze about $3.5 million in cryptocurrency, and disconnected infected devices from the service.
- The service marketed access to roughly 369,000 IP addresses since 2020 and listed about 8,000 infected routers in February, including approximately 2,500 in the United States, with the FBI estimating about 124,000 customers.
- SocksEscort ran on AVRecon malware that targeted small-office and home routers, with the FBI issuing an alert containing technical indicators after finding widespread exploitation and persistence on ARM and MIPS devices.
- Europol estimates the payment platform linked to the operation received more than $5.7 million in crypto, while prosecutors cite victim losses including $1 million from a New York crypto user, $700,000 from a Pennsylvania manufacturer, and $100,000 affecting Military Star card holders.
- The takedown involved Europol, the DOJ and FBI, Eurojust, and agencies in Austria, France, Germany, Hungary, the Netherlands, Romania, and the U.S., with technical support from Lumen’s Black Lotus Labs and the Shadowserver Foundation.