International law enforcement agencies have dismantled a global cybercrime infrastructure known as the Operation Lightning, targeting the proxy service, SocksEscort, which allowed criminals to route internet traffic through infected routers around the world to hide their identities.
The operation was coordinated by Europol with support from authorities in the United States and several European countries, including Austria, France, the Netherlands, Bulgaria, Germany, Hungary and Romania. Judicial coordination was handled by Eurojust.
Investigators found that SocksEscort operated a large proxy network built from compromised routers and internet-connected devices. Malware infected modems belonging to individuals and organizations worldwide, allowing criminals to secretly use their internet connections as proxy nodes.
Since launching around 2020, the service is believed to have compromised more than 369,000 routers and IoT devices across 163 countries, offering tens of thousands of residential proxies to paying customers.
Customers purchased access to these proxies to mask their real IP addresses and locations, enabling a wide range of illegal activities, including financial fraud, ransomware attacks and distributed denial-of-service (DDoS) attacks.
During coordinated action in March 2026, authorities seized 34 domains and 23 servers located in seven countries that supported the SocksEscort infrastructure. U.S. authorities also froze about $3.5 million in cryptocurrency linked to the service.
Investigators say the service generated more than €5 million in payments from customers, many of whom paid anonymously using cryptocurrency.
According to investigators, criminals used the network to carry out fraud schemes such as bank and cryptocurrency account takeovers and fraudulent unemployment claims. In one case, a crypto exchange customer in New York lost roughly $1 million, while a U.S. manufacturing company lost $700,000.
Europol said the takedown highlights the importance of cross-border cooperation in combating cybercrime. The agency provided analytical and operational support, including malware analysis, crypto-tracing and intelligence coordination through a virtual command post during the operation.
Authorities are now working to notify affected countries and help victims secure infected devices, many of which were compromised through vulnerabilities in residential routers.
CRYPTO CRIME | Binance Processed Over 70,000 Law-Enforcement Requests Worldwide in 2025 Alone
See also
Stay tuned to BitKE for latest global crypto law enforcement updates
Join our WhatsApp channel here.
Follow us on X for the latest posts and updates
Related
Click Here For The Original Source.
