Authorities Dismantle Global Malicious Proxy Service that Deployed Malware and Defrauded Thousands of U.S. Persons, Businesses, and Financial Institutions of Millions of Dollars in Losses

Yesterday a court-authorized international law enforcement operation led by the U.S. Justice Department disrupted SocksEscort, a residential proxy network used to exploit thousands of residential routers worldwide and commit large-scale fraud. The U.S. government executed seizure warrants against a few dozen U.S.-registered internet domains allegedly engaged in the cyber-enabled criminal activity, U.S. Attorney Eric Grant announced.

According to court documents, SocksEscort infected home and small business internet routers with malware. The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers. Since the summer of 2020, SocksEscort has offered to sell access to about 369,000 different IP addresses. As of February 2026, the SocksEscort application listed approximately 8,000 infected routers to which its customers could buy access, of those, 2,500 were in the United States.

Cybercriminals used the access they purchased on SocksEscort to conceal their true originating IP addresses and locations, which furthered frauds like takeovers of U.S. bank and cryptocurrency accounts and fraudulent unemployment insurance claims. These frauds cost Americans millions of dollars. Examples of victims defrauded include a customer of a cryptocurrency exchange who lived in New York and was defrauded of $1 million worth of cryptocurrency; a manufacturing business in Pennsylvania that was defrauded of $700,000; and current and former United States service members with MILITARY STAR cards who were defrauded out of $100,000.

Law enforcement agencies from Austria, France, and the Netherlands successfully took down numerous SocksEscort servers.

The FBI Sacramento Field Office, the Department of Defense Office of Inspector General’s Defense Criminal Investigative Service, and IRS Criminal Investigation Oakland Field Office are investigating the case.

Investigators and prosecutors from several jurisdictions provided assistance, including Europol, Eurojust, and authorities in the following countries:

• Austria: Vienna Public Prosecutors Office (Staatsanwaltschaft Wien) Criminal Intelligence Service - Cybercrime-Competence-Center (Bundeskriminalamt – C4)
• Bulgaria: District Public Prosecution Office Plovdiv, Cybercrime Directorate of the General Directorate Combating Organized Crime - Ministry of Interior
• France: Public Prosecution Office Paris J3 Anti-Cybercrime unit; Investigative judge from JIRS/JUNALCO Financial and Cybercrime section - Court of Paris; Judicial Police - Office for Cybercrime Prevention (Police judiciaire - office anti-cybercriminalité (OFAC))
• Germany: Düsseldorf Police Headquarters; Central Contact Point for Cybercrime North Rhine-Westphalia (ZAC NRW)
• Hungary: Prosecution Service of Hungary; National Bureau of Investigation Cybercrime Department (Nemzeti Nyomozó Iroda Kiberbűnözés Elleni Főosztály)
• Netherlands: Public Prosecutors Office Limburg (Openbaar Ministerie); Police (Politie) Limburg
• Romania: Prosecution Office of the High Court of Cassation and Justice; Directorate for investigation of Organized Crime and Terrorism, Central Office; Directorate for Combating Organized Crime, Central Cybercrime Unit; General Inspectorate of the Romanian Police

The Justice Department’s Office of International Affairs, the National Security Division’s National Security Cyber Section and the Criminal Division’s Computer Crime and Intellectual Property Section, and the International Computer Hacking and Intellectual Property (ICHIP) program based in The Hague, the Treasury Department’s Financial Crimes Enforcement Network, and the California Highway Patrol provided crucial support to this operation. 

Additionally, the Department of Justice offers its thanks to Lumen’s Black Lotus Labs and the Shadowserver Foundation for the assistance provided by each during the investigation and the operation.

Assistant U.S. Attorneys for the Eastern District of California Nicholas M. Fogg, Sam Stefanki, and Kevin Khasigian handled the litigation.

The Justice Department is providing intellectual property and cybercrime technical assistance to foreign law enforcement, prosecutorial, and judicial partners in other countries through the International Computer Hacking and Intellectual Property (ICHIP) program. Learn more about the Criminal Division’s ICHIP Program, jointly administered by the Criminal Division’s Office of Overseas Prosecutorial Development, Assistance and Training (OPDAT) and the Computer Crime and Intellectual Property Section through partnership between the U.S. Department of State’s Bureau of International Narcotics and Law Enforcement Affairs, here.