DoJ dismantles botnet made of 360,000 infected routers and IOT devices spread across 163 countries that ran for 16 years — SocksEscort proxy network eliminated in joint operation with Europol

As is commonplace for this type of operation, SocksEscort sold access to infected devices, allowing cyber-criminals to run attacks from a multitude of worldwide locations at once, making the attack hard to block as well as hiding their identities behind those of unsuspecting folks.

According to the U.S. DoJ, the network had about 8,000 routers as of February 2026, of which 2,500 were in the United States. The botnet facilitated multiple criminal activities, including taking over U.S. bank and cryptocurrency accounts, fraudulent insurance claims, ransomware distribution, DDoS attacks, and even the distribution of child sexual abuse material (CSAM).

The DoJ estimates that the fraud costs U.S. citizens millions of dollars, and cites specific examples like a New York cryptocurrency customer losing $1 million, a Pennsylvania business losing $700,000, and multiple Military Star card holders conned out of $100,000. The takedown also included a number of seizures. Europol nabbed 34 domains associated with the network and 23 servers across seven countries, while the U.S. seized $3.5 million worth of cryptocurrency.

As experts have been warning for decades, home routers and all sorts of "smart" home devices are a veritable playground for the criminally minded. Not only do they often arrive in the market with egregious security vulnerabilities, but many manufacturers also drop software support after a short timespan. The fact that the average user is not aware of what a firmware update is, much less how to run one, doesn't help matters — nor are they supposed to.

As always, we recommend readers keep tabs on all internet-connected devices, keep them up to date whenever possible, and avoid connecting them to the internet to begin with, unless absolutely necessary.