US aids in dismantling proxy service used in widespread router hacks

Proxy crackdown

U.S. authorities helped dismantle SocksEscort, a malicious residential proxy service that routed internet traffic through compromised home and small business routers. Investigators said cybercriminals used the network to hide their real locations while carrying out fraud and other online crimes.

Law enforcement agencies worked with international partners to disrupt the infrastructure behind the service. The operation reflects a broader global effort to target cybercriminal networks that rely on hacked internet-connected devices.

What is the proxy network?

The dismantled system functioned as a residential proxy service that routed internet traffic through hacked routers and IoT devices. Such services can be used legitimately for testing or data collection, but criminal groups often abuse them.

By masking their identities, attackers can avoid detection while carrying out cyberattacks. Investigators said thousands of compromised devices were involved. This allowed hackers to operate a large anonymous infrastructure online.

How routers were hacked

Attackers gained access to routers and IoT devices by exploiting known security vulnerabilities and exposed services. Once compromised, the devices were used as residential proxies that routed traffic for cybercriminal customers.

Many device owners had no idea their hardware was being used in criminal activity. Federal investigators warned that outdated or unpatched devices remain especially vulnerable to this kind of abuse.

Role of US authorities

U.S. investigators played a central role in tracking the infrastructure behind the proxy service. Agencies analyzed digital evidence, identified command servers, and coordinated the takedown. Legal actions allowed authorities to seize domains and disrupt the criminal network.

Cooperation with international law enforcement helped expand the operation. These coordinated efforts were key to dismantling the service.

International law enforcement cooperation

Because cybercrime often crosses borders, the investigation involved cooperation with partners in several countries. Law enforcement agencies shared intelligence and technical analysis. This collaboration helped identify servers and operators involved in the proxy network.

Joint action made it possible to disrupt infrastructure spread across multiple regions. Such global partnerships are increasingly common in cybercrime investigations.

Impact on cybercriminal operations

The takedown disrupted a major proxy service that cybercriminals used to hide their online activity behind compromised routers. Authorities said the operation included domain seizures, server takedowns, and the disconnection of infected devices from the service.

By interrupting that infrastructure, investigators cut off access to a network that had been used to facilitate fraud and other criminal activity. The case shows how residential proxy services can become an important tool in cybercrime operations.

Growing threat of router attacks

Routers and connected devices have become attractive targets for cybercriminals. Many consumers rarely update router firmware or change default passwords. As a result, millions of devices worldwide remain vulnerable.

Attackers exploit these weaknesses to build botnets and proxy networks. Security experts warn that this problem will continue to grow as more devices connect to the internet.

How proxy services operate

Proxy services route internet traffic through intermediary devices instead of directly connecting to a destination. This can hide the source of online activity.

Criminals use such networks to launch spam campaigns, data theft, and hacking attacks. By spreading activity across thousands of devices, the attackers reduce the risk of detection. The dismantled network operated on this same principle.

Fun fact: As part of the takedown, U.S. investigators seized dozens of domains and took down servers while also freezing about $3.5 million worth of crypto tied to the botnet’s operators, showing how financially lucrative such illicit proxy networks can be.

Risks for device owners

Owners of compromised routers often do not realize their devices are being used in cybercrime operations. Federal agencies warn that hacked routers and IoT devices can be used to route criminal traffic and make illegal activity appear to come from the victim’s network.

Security professionals recommend keeping firmware up to date, changing default passwords, and disabling unnecessary remote access features. Those steps can lower the risk of a device being pulled into a malicious proxy network.

Importance of device security

This incident highlights the importance of securing home and business network equipment. Simple steps like enabling automatic updates and changing default credentials can prevent many attacks. Network security tools can also detect unusual traffic patterns.

Governments and cybersecurity agencies frequently warn about router vulnerabilities. Better security awareness is essential for preventing large-scale cyber threats.

Little-known fact: Law enforcement officials said the SocksEscort botnet, which turned hundreds of thousands of routers and IoT devices into proxies, had been operating for more than a decade and a half, making it one of the longest‑running malicious proxy services ever disrupted.

Legal consequences for operators

Authorities said the investigation into the network is ongoing. The March 2026 takedown announcement focused on disrupting the service, seizing domains, and freezing cryptocurrency linked to the operation.

The case remains part of a broader effort by law enforcement to identify and disrupt the people behind cybercrime infrastructure. Further public updates would depend on what investigators and prosecutors announce in court or in future releases.

Ongoing cybercrime investigations

The takedown of one malicious proxy service does not end the broader threat from cybercrime infrastructure. Law enforcement agencies and cybersecurity teams continue to track similar services that exploit compromised routers and other internet-connected devices.

Officials say ongoing investigations, timely software updates, and stronger device security remain important as criminals continue to adapt their methods. The SocksEscort case is a reminder that cybercrime networks can persist for years when vulnerable devices are left exposed.

Looking for an easy way to boost your Wi-Fi? Here’s the router habit that keeps my Wi-Fi running better.

Router security

The SocksEscort takedown shows how insecure routers and IoT devices can be turned into tools for cybercrime. Investigators said international cooperation was critical to disrupting the service and disconnecting infected devices from the network.

The case also highlights the importance of keeping connected devices updated and properly secured. As more homes and businesses rely on internet-connected hardware, basic security steps remain essential for reducing the risk of future abuse.

Is your Wi-Fi router at risk of hackers? Here’s how to protect it.

What steps do you think individuals and companies should take to protect routers and devices from becoming part of cybercrime networks? Tell us in the comments.

This slideshow was made with AI assistance and human editing.

Don’t forget to follow us for more exclusive content on MSN.

Read More From This Brand:

• Are free VPNs and proxies secretly putting your online safety at risk?
• 2.5 billion Google accounts at risk after massive hack
• iPhone settings that can quietly save you from hackers