On March 11, Europol and the U.S. Department of Justice jointly announced the results of “Operation Lightning,” successfully dismantling the malicious proxy service “SocksEscort.” U.S. authorities froze $3.5 million in cryptocurrency related to this case, and seven countries seized 34 domains and 23 servers.
Operation Scale: Quantitative Results from Cross-Border Law Enforcement
The investigation began in June 2025, led by Europol’s Cybercrime Action Team (J-CAT). It uncovered a botnet composed of infected home routers, secretly recruited as proxy servers to hide the source of cybercriminal activities.
The Eastern District of California U.S. Attorney’s Office reported that by February 2026, approximately 8,000 infected routers had been recorded through the SocksEscort app, with about 2,500 located within the United States. The associated payment platforms are estimated to have received over $5.7 million in cryptocurrency, with U.S. authorities freezing $3.5 million of that amount.
Catherine De Bolle, Executive Director of Europol, stated, “By dismantling this infrastructure, law enforcement has disrupted a service that facilitates cybercrime on a global scale.”
Criminal Uses of SocksEscort: From Crypto Account Theft to Child Exploitation
U.S. Department of Justice charges reveal that the SocksEscort proxy network was used for various criminal activities:
Bank and Cryptocurrency Account Hijacking: Using proxies to conceal access sources and carry out account takeover attacks.
False Unemployment Benefits Claims: Submitting welfare applications under others’ identities to fraudulently obtain government funds.
Ransomware Attacks: Distributing and deploying ransomware through the proxy network.
DDoS Attacks: Using botnet routers to execute distributed denial-of-service attacks.
Distribution of Child Sexual Abuse Material (CSAM): Spreading illegal content via infected devices.
U.S. federal prosecutors cited multiple specific victim cases: a New York cryptocurrency exchange customer allegedly lost $1 million in digital assets; a Pennsylvania manufacturer reportedly lost $700,000; and several active and retired military personnel are said to have been defrauded of a total of $100,000.
Frequently Asked Questions
What is SocksEscort, and how does it work?
SocksEscort is a malicious proxy service that infects routers and IoT devices in homes and small businesses worldwide, turning these infected devices into proxy servers and offering access to paying customers. Clients can use these “residential proxies” to mask their real network activity sources, effectively conducting criminal activities using ordinary home user IP addresses.
How much cryptocurrency was frozen in this operation, and which countries were involved?
U.S. authorities froze $3.5 million in cryptocurrency related to this case. The payment platforms involved are estimated to have received over $5.7 million in total. Law enforcement actions took place in seven countries, seizing 34 domains and 23 servers.
How is SocksEscort used in cryptocurrency scams?
Criminals use SocksEscort’s proxy servers to hide their network connection sources, launching account takeover attacks on cryptocurrency accounts from locations that appear to be legitimate residential IP addresses, bypassing geo-based security measures. In one case, a New York-based crypto exchange customer was reportedly defrauded of $1 million worth of digital assets through this method.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Senator Warren Presses Musk on X Money Risks, Citing Stablecoin Concerns and Regulatory Gaps
Senator Elizabeth Warren has asked Elon Musk for details on X Money, a payments feature for X, raising concerns about stablecoin risks, regulatory issues, financial stability, and data privacy, with a response due by April 21, 2026.
GateNews7h ago
Florida and Massachusetts jointly recover $5.4 million in cryptocurrency scam assets
The Florida State Attorney’s Office and the Marion County Sheriff’s Office jointly recovered $5.4 million in cryptocurrency scam funds, involving an investment fraud scheme that used romance as a cover. Some of the funds have been returned to victims in Florida and Massachusetts. Since its inception, CFEU has recovered $7.2 million, and another $12.6 million in assets remains frozen. Massachusetts has also carried out multiple law-enforcement actions, shutting down scam websites and recovering funds.
MarketWhisper11h ago
Kalshi Launches Parental Portal and AI Verification to Combat Underage Misuse of Prediction Market
Kalshi is introducing a parental portal for identity verification and selfie authentication to prevent minors from bypassing age restrictions. This follows scrutiny over its compliance with prediction market regulations amid ongoing lawsuits.
GateNews12h ago
Florida and Massachusetts Recover $5.4M in Crypto Fraud Assets from Romance Scam Scheme
Authorities in Florida and Massachusetts recovered $5.4 million in cryptocurrency from romance scam-related investment fraud, with victims receiving partial refunds. Ongoing efforts continue against crypto fraud, with additional assets under litigation.
GateNews12h ago
