U.S. and European authorities dismantled the SocksEscort malicious proxy network in a coordinated enforcement action known as Operation Lightning. The takedown removed a residential-proxy infrastructure that investigators say had become a key tool for hiding cryptocurrency thefts and other forms of financial fraud.
For crypto firms, treasury teams, and compliance units, the operation has direct operational significance. By seizing core infrastructure and freezing linked digital assets, law enforcement disrupted one of the anonymity layers criminals had been using to move and launder stolen funds.
A Global Proxy Network Built on Compromised Devices
According to Europol, SocksEscort relied on the AVrecon botnet and had compromised about 369,000 residential routers and IoT devices across 163 countries. That scale turned the service into a globally distributed proxy layer that could disguise the origin of criminal activity across borders.
Authorities said they dismantled the service’s control infrastructure by seizing 34 domains and 23 servers spread across seven countries. The same operation also froze roughly $3.5 million in cryptocurrency tied to the network, adding an immediate financial blow to the disruption.
Investigators linked the proxy service to a range of criminal schemes that depended on purchased anonymity. Among the activities cited were exchange and bank account takeovers, fraudulent benefit claims, and direct cryptocurrency thefts carried out through the obfuscated access the service provided.
The case was built not only on law-enforcement coordination but also on outside technical intelligence. Officials said attribution and takedown work drew support from private-sector partners, including Lumen’s Black Lotus Labs and the Shadowserver Foundation.
What the Takedown Changes for Crypto Investigations
Authorities estimate the operators generated about EUR 5 million, or roughly $5.7 million to $5.8 million, in illicit proceeds, while the broader losses enabled by the network ran into the tens of millions of dollars. One example cited by investigators involved a customer at a New York-based cryptocurrency exchange who reportedly lost $1 million after activity traced back to the proxy service.
The dismantling of SocksEscort removes a major layer of obfuscation that had helped criminals move stolen assets across jurisdictions. That should make tracing easier in ongoing investigations and may improve the chances of recovering at least some of the funds tied to the network.
Even so, the operation is not the final step. Authorities said additional coordination is now under way with national partners to support follow-up investigations, notify affected jurisdictions, reach potential victims, and pursue asset-recovery efforts.
Historical flows, suspicious connections, and laundering patterns tied to compromised proxy infrastructure are likely to receive renewed scrutiny as investigators and compliance teams reassess past activity in light of the takedown.