DoJ dismantles botnet made of 360,000 infected routers and IOT devices spread across 163 countries that ran for 16 years — SocksEscort proxy network eliminated in joint operation with Europol
Get 3DTested's best news and in-depth reviews, straight to your inbox.
You are now subscribed
Your newsletter sign-up was successful
An account already exists for this email address, please log in.
Subscribe to our newsletter
Hot on the heels of the LeakBase takedown, the combined might of the U.S. Department of Justice and Europol brought down another gigantic botnet, the SocksEscort proxy network, in an effort spanning a total of nine countries.
The enterprise ran for an estimated 16 years, with its inception circa 2010, infecting a grand total of 369,000 devices across its lifetime. The botnet comprised mostly home routers, access points, and IoT devices across 163 countries.
As is commonplace for this type of operation, SocksEscort sold access to infected devices, allowing cyber-criminals to run attacks from a multitude of worldwide locations at once, making the attack hard to block as well as hiding their identities behind those of unsuspecting folks.
Article continues below
According to the U.S. DoJ, the network had about 8,000 routers as of February 2026, of which 2,500 were in the United States. The botnet facilitated multiple criminal activities, including taking over U.S. Bank and cryptocurrency accounts, fraudulent insurance claims, ransomware distribution, DDoS attacks, and even the distribution of child sexual abuse material (CSAM).
The DoJ estimates that the fraud costs U.S. Citizens millions of dollars, and cites specific examples like a New York cryptocurrency customer losing $1 million, a Pennsylvania business losing $700,000, and multiple Military Star card holders conned out of $100,000. The takedown also included a number of seizures. Europol nabbed 34 domains associated with the network and 23 servers across seven countries, while the U.S. Seized $3.5 million worth of cryptocurrency.
As experts have been warning for decades, home routers and all sorts of "smart" home devices are a veritable playground for the criminally minded. Not only do they often arrive in the market with egregious security vulnerabilities, but many manufacturers also drop software support after a short timespan. The fact that the average user is not aware of what a firmware update is, much less how to run one, doesn't help matters — nor are they supposed to.
As always, we recommend readers keep tabs on all internet-connected devices, keep them up to date whenever possible, and avoid connecting them to the internet to begin with, unless absolutely necessary.
Stay On the Cutting Edge: Get the 3DTested Newsletter
Get 3DTested's best news and in-depth reviews, straight to your inbox.
After nearly 16 years of inaction US government finally protects Americans and the world after ignoring known threats. Who knows maybe the government was also using the exploits for their own ends. To be somewhat fair it probably often takes many years to work with other countries to shut down global threats, but 16 years seems pretty absurd. It shouldn't be that hard to follow an IP address to an infected router and inform the likely unsuspecting grandma that her router is infected... Then again, how many ISP's have to know they have obvious malware traffic and ignore it, or have no security trained employees at all?
It is not clear from article, how it was dismantle: just operator and all unpatched devices still connected to internet?
In that case it's just matter of time form them be absorbed into new botnet
Presumably the SocksEscort botnet secured the vulnerable routers against rival botnets, so the infected ones are no longer vulnerable.
Given the tendency for firmware updates to degrade hardware performance and remove features
https://www.3dtested.com/tech-industry/norwegian-consumer-watchdog-calls-out-enshittification
there are also people who don't perform firmware updates, not because they don't know what a firmware update is, but because they do.
