---
title: "Law enforcement shuts down botnet made of tens of thousands of hacked routers"
type: "News"
locale: "en"
url: "https://longbridge.com/en/news/278918590.md"
description: "A global coalition of law enforcement agencies has dismantled the SocksEscort botnet, which comprised tens of thousands of hacked routers. This operation targeted a network that facilitated various crimes, including bank and cryptocurrency hacks, costing Americans millions. The botnet affected over 369,000 devices across 163 countries and was used for ransomware and DDoS attacks. The official website of SocksEscort has been replaced with a seizure notice. Cybersecurity firm Black Lotus Labs noted that this botnet was one of the largest targeting small-office/home-office routers in recent history."
datetime: "2026-03-12T16:45:25.000Z"
locales:
  - [zh-CN](https://longbridge.com/zh-CN/news/278918590.md)
  - [en](https://longbridge.com/en/news/278918590.md)
  - [zh-HK](https://longbridge.com/zh-HK/news/278918590.md)
---

# Law enforcement shuts down botnet made of tens of thousands of hacked routers

A global coalition of law enforcement agencies shut down a botnet made of tens of thousands of hacked home and small business routers on Wednesday.

The operation targeted SocksEscort, which offered paid proxy services and was built on a botnet of hacked routers used to commit various crimes, such as hacking into victims’ bank and cryptocurrency accounts, and to file fraudulent unemployment insurance claims, according to an announcement published on Thursday by the Justice Department. The DOJ said the crimes facilitated by SocksEscort cost Americans millions of dollars.

Europol said in its announcement of the operation that the SocksEscort botnet allegedly compromised more than 369,000 routers and Internet of Things devices in 163 countries, and that the infected routers “have been disconnected from the service.” The law enforcement agency said SocksEscort was used to facilitate ransomware, distributed denial of service (DDoS) attacks, and the distribution of child sexual abuse material (CSAM).

“Customers of the criminal service paid for licences to abuse these infected devices, hiding their original IP addresses to engage in various criminal activities,” said Europol. “Upon infection with the malware, the modems’ owners would not be aware that their IP addresses were used for illegitimate activities.”

The content of the SocksEscort official website was replaced by a notice announcing the seizure, as part of the law enforcement operation.

The botnet was composed of around 280,000 routers since last January, and was powered by malware called AVRecon, according to cybersecurity firm Black Lotus Labs, which tracked SocksEscort and worked with law enforcement in the takedown operation

“This botnet posed a significant threat, as it was marketed exclusively to criminals,” the company wrote in its post about the takedown. “Notably, over half of its victims were located in the United States or the United Kingdom, enabling attackers to conduct highly targeted operations.”

In 2023, Black Lotus Labs called SockEscort “one of the largest botnets targeting small-office/home-office (SOHO) routers seen in recent history.”

At the time, cybersecurity journalist Brian Krebs reported that SocksEscort was born in 2009 as a Russian-language service selling access to thousands of hacked computers.

### Related Stocks

- [HUT.US](https://longbridge.com/en/quote/HUT.US.md)
- [CORZ.US](https://longbridge.com/en/quote/CORZ.US.md)
- [CRCL.US](https://longbridge.com/en/quote/CRCL.US.md)
- [MARA.US](https://longbridge.com/en/quote/MARA.US.md)
- [HOOD.US](https://longbridge.com/en/quote/HOOD.US.md)
- [BITF.US](https://longbridge.com/en/quote/BITF.US.md)
- [CLSK.US](https://longbridge.com/en/quote/CLSK.US.md)
- [BTCS.US](https://longbridge.com/en/quote/BTCS.US.md)
- [CETH.US](https://longbridge.com/en/quote/CETH.US.md)
- [ETH.US](https://longbridge.com/en/quote/ETH.US.md)
- [GSOL.US](https://longbridge.com/en/quote/GSOL.US.md)
- [BITB.US](https://longbridge.com/en/quote/BITB.US.md)
- [BTF.US](https://longbridge.com/en/quote/BTF.US.md)
- [BKCH.US](https://longbridge.com/en/quote/BKCH.US.md)
- [FBTC.US](https://longbridge.com/en/quote/FBTC.US.md)
- [BRRR.US](https://longbridge.com/en/quote/BRRR.US.md)
- [HODL.US](https://longbridge.com/en/quote/HODL.US.md)
- [IMRA.US](https://longbridge.com/en/quote/IMRA.US.md)
- [BITO.US](https://longbridge.com/en/quote/BITO.US.md)
- [IBIT.US](https://longbridge.com/en/quote/IBIT.US.md)
- [RIOX.US](https://longbridge.com/en/quote/RIOX.US.md)
- [BCOR.US](https://longbridge.com/en/quote/BCOR.US.md)
- [ETHV.US](https://longbridge.com/en/quote/ETHV.US.md)
- [ETHA.US](https://longbridge.com/en/quote/ETHA.US.md)
- [BSOL.US](https://longbridge.com/en/quote/BSOL.US.md)
- [MRAL.US](https://longbridge.com/en/quote/MRAL.US.md)
- [KEEL.US](https://longbridge.com/en/quote/KEEL.US.md)

## Related News & Research

- [X rolls out ‘Cashtags’ for in-timeline crypto and stock data](https://longbridge.com/en/news/282772905.md)
- [Hut 8 (TSE:HUT) Hits New 1-Year High  - Time to Buy?](https://longbridge.com/en/news/282790515.md)
- [Circle is dominating Europe’s stablecoin market via EURC](https://longbridge.com/en/news/282425611.md)
- [Commodities Flow May Lead to Market Dip, Robinhood CIO Warns](https://longbridge.com/en/news/282223434.md)
- [Circle CEO rules out won-based stablecoin issuance, instead seeks local partnerships](https://longbridge.com/en/news/282550444.md)