Authorities Dismantle Global Malicious Proxy Service that Deployed Malware and Defrauded Thousands of U.S. Persons, Businesses, and Financial Institutions of Millions of[...]

Yesterday a court-authorized international law enforcement operation led by the U.S. Justice Department disrupted SocksEscort, a residential proxy network used to exploit thousands of residential routers worldwide and commit large-scale fraud. The U.S. government executed seizure warrants against a few dozen U.S.-registered internet domains allegedly engaged in the cyber-enabled criminal activity.

According to court documents, SocksEscort infected home and small business internet routers with malware. The malware allowed SocksEscort to direct internet traffic through the infected routers. SocksEscort sold this access to its customers. Since the summer of 2020, SocksEscort has offered to sell access to about 369,000 different IP addresses. As of February 2026, the SocksEscort application listed approximately 8,000 infected routers to which its customers could buy access, of those, 2,500 were in the United States.

Cybercriminals used the access they purchased on SocksEscort to conceal their true originating IP addresses and locations, which furthered frauds like takeovers of U.S. bank and cryptocurrency accounts and fraudulent unemployment insurance claims. These frauds cost Americans millions of dollars. Examples of victims defrauded include a customer of a cryptocurrency exchange who lived in New York and was defrauded of $1 million worth of cryptocurrency; a manufacturing business in Pennsylvania that was defrauded of $700,000; and current and former United States service members with MILITARY STAR cards who were defrauded out of $100,000.

Law enforcement agencies from Austria, France, and the Netherlands successfully took down numerous SocksEscort servers.

The FBI Sacramento Field Office, the Department of Defense Office of Inspector General's Defense Criminal Investigative Service, and IRS Criminal Investigation Oakland Field Office are investigating the case.

Investigators and prosecutors from several jurisdictions provided assistance, including Europol, Eurojust, and authorities in the following countries:

• Austria: Criminal Intelligence Service Austria; Public Prosecutor´s Office Vienna
• Bulgaria: Cybercrime Directorate, General Directorate Combating Organized Crime, Ministry of Interior
• France: Public Prosecution Office Paris J3 section Anti-Cybercriminality; Investigative Judge from JIRS/JUNALCO Financial and Cybercrime section - Court of Paris
• Germany: Düsseldorf Police Headquarters; Central Contact Point for Cybercrime North Rhine-Westphalia (ZAC NRW)
• Hungary: Prosecution Service of Hungary; National Bureau of Investigation Cybercrime Department
• Netherlands: Public Prosecution Office Limburg; Police Limburg
• Romania: Prosecution Office of the High Court of Cassation and Justice; Directorate for investigation of Organized Crime and Terrorism, Central Office; Directorate for Combating Organized Crime, Central Cybercrime Unit; General Inspectorate of the Romanian Police

The Justice Department's Office of International Affairs, Computer Crime and Intellectual Property Section, and International Computer Hacking and Intellectual Property (ICHIP) based in The Hague, the Treasury Department's Financial Crimes Enforcement Network, and the California Highway Patrol provided crucial support to this operation.

Additionally, the Department of Justice offers its thanks to Lumen's Black Lotus Labs and the Shadowserver Foundation for the assistance provided by each during the investigation and the operation.

Assistant U.S. Attorneys for the Eastern District of California Nicholas M. Fogg, Sam Stefanki, and Kevin Khasigian are prosecuting the case.

The Justice Department is providing intellectual property and cybercrime technical assistance to foreign law enforcement, prosecutorial, and judicial partners in other countries through the International Computer Hacking and Intellectual Property (ICHIP) program. Learn more about the Criminal Division's ICHIP Program, jointly administered by the Criminal Division's Office of Overseas Prosecutorial Development, Assistance and Training (OPDAT) and the Computer Crime and Intellectual Property Section through partnership between the U.S. Department of State's Bureau of International Narcotics and Law Enforcement Affairs, here.