"Operation Lightning": Strike against proxy botnet of over 369.000 devices

Europol reports a strike against the malicious proxy service "SocksEscort", which international law enforcement agencies dealt to the criminal masterminds and infrastructure this Wednesday. The botnet consisted of more than 369.000 drones from compromised routers and IoT devices located in 163 countries.

The European police authority further explains that "SocksEscort" has offered customers more than 35.000 proxies in recent years. On Wednesday, law enforcement took a total of 34 domains offline, as well as 23 servers from seven countries. The USA has also frozen cryptocurrencies worth 3.5 million US dollars. Officials have disconnected the botnet's infected modems from the "SocksEscort" service. Law enforcement agencies now intend to inform the affected countries, paving the way for further investigations.

Investigations started mid-2025

Europol writes that investigations began in June 2025. The botnet of infected devices was discovered there. In large numbers, these are home routers that were misused for various criminal activities, such as distributing ransomware, for distributed denial-of-service attacks (DDoS), or even for spreading child sexual abuse material (CSAM). The home routers were infected through a vulnerability in a specific brand. However, Europol does not specify which one.

Customers of this criminal service paid for the use and misuse of the infiltrated devices. They thereby obscured their own IP addresses while carrying out various criminal activities. The website for "SocksEscort" offered paid proxy services, through which customers gained access to the compromised IP addresses to conceal their own. The router owners had no knowledge that their IP addresses were being misused for criminal purposes after an infection. To make payments, perpetrators had to use a platform that enabled anonymous purchases using cryptocurrencies. Europol estimates that the payment platform received more than 5 million euros from proxy service customers.

International law enforcement agencies from Bulgaria, Germany, France, the Netherlands, Romania, Hungary, Austria, and the United States, along with Eurojust and Europol, were involved in "Operation Lightning". This is by far not the first operation with international cooperation of law enforcement agencies against botnets and their masterminds. In "Operation Endgame" from 2024 or "Operation Endgame 2.0" from 2025, they also took action against cybercriminals, malware authors, and botnets. Residential proxy networks are increasingly becoming targets of measures against online crime. For example, at the end of January, Google dealt a significant blow to the IPIDEA residential proxy network, removing millions of devices.

(dmk)