Botnet Takedown: 369,000 Hacked Routers Shut Down Worldwide
Tens of thousands of hacked home and small business routers were taken offline this week after a sweeping international law enforcement operation dismantled one of the most dangerous criminal proxy networks in recent memory. The botnet, known as SocksEscort, had been secretly hijacking people's internet connections for over a decade — and most victims had absolutely no idea.
 |
| Credit: Bruce Durban |
What Was SocksEscort — and Why Should You Care?
SocksEscort was not your average cybercrime operation. It was a paid criminal service that rented out access to thousands of infected routers, allowing bad actors to mask their real identities while committing fraud, launching cyberattacks, and distributing illegal content.
The service operated like a legitimate business — complete with subscription tiers and customer support — except that every "product" it sold was stolen bandwidth from unsuspecting households and small offices around the world. Customers paid for licenses to use compromised devices as cover, hiding their true IP addresses while engaging in a wide range of criminal activity.
According to the Department of Justice, crimes facilitated through SocksEscort cost Americans millions of dollars. The victims ranged from individuals who had their bank and cryptocurrency accounts drained, to people who were targeted with fraudulent unemployment insurance claims filed in their names.
What made this operation especially insidious was its invisibility. The router owners had no idea their devices had been compromised. Their internet connections were quietly being used as criminal infrastructure while they streamed movies, paid bills, and worked from home.
The Scale of the Hacked Router Botnet Was Staggering
Europol confirmed that the SocksEscort botnet had compromised more than 369,000 routers and Internet of Things devices spread across 163 countries. At its peak earlier this year, the network consisted of approximately 280,000 active routers — all infected with a strain of malware known as AVRecon.
Cybersecurity researchers had been tracking SocksEscort for years. In 2023, it was already described as one of the largest botnets ever observed targeting small-office and home-office routers. The service originally launched in 2009 as a Russian-language platform selling access to hacked computers, before evolving into the massive router-focused criminal network it ultimately became.
More than half of the infected devices were located in the United States and the United Kingdom. By routing their operations through American and British IP addresses, criminals could convincingly impersonate legitimate local users — making fraud schemes significantly harder for banks and investigators to detect.
What Crimes Were Being Committed Through These Devices?
The scope of criminal activity enabled by SocksEscort is deeply alarming. Law enforcement confirmed the service was used to facilitate ransomware attacks on businesses and critical infrastructure, DDoS attacks designed to knock websites offline, bank account takeovers and cryptocurrency theft, fraudulent unemployment insurance claims filed using stolen identities, and the distribution of child sexual abuse material (CSAM).
Each of these crimes was made significantly harder to trace because the perpetrators were operating through the IP addresses of innocent router owners. This is the kind of criminal infrastructure that enables digital crime at an industrial scale.
Europol was clear that router owners bore no fault: "Upon infection with the malware, the modems' owners would not be aware that their IP addresses were used for illegitimate activities."
How a Global Coalition Brought It Down
The takedown was a coordinated international effort involving multiple law enforcement agencies across several countries. The operation culminated on Wednesday, when the SocksEscort website was replaced with a seizure notice — the digital equivalent of a padlock on the front door.
Europol confirmed that all infected routers identified as part of the network "have been disconnected from the service." The devices weren't destroyed, but they were cut off from the criminal infrastructure they had been enslaved to.
Private-sector cybersecurity researchers played a decisive role. Their teams had spent years monitoring SocksEscort's infrastructure and working with law enforcement to map the network before the coordinated strike. That research provided the intelligence authorities needed to understand how the botnet operated — and who was paying to use it.
The botnet was described as having been "marketed exclusively to criminals," with more than half its victim devices concentrated in the US and UK — giving attackers a sharp advantage when targeting English-speaking victims.
Why Home Routers Are a Prime Target for Cybercriminals
This case is a stark reminder of why home routers have become one of the most coveted targets in modern cybercrime. Unlike laptops and smartphones, routers rarely receive security updates from their owners, often run outdated firmware for years, and sit unmonitored without anyone checking on them.
Cybercriminals know this. A compromised router is a persistent, low-profile foothold — it can be infected once and quietly exploited for months or years without triggering alarms. In the case of SocksEscort, some devices may have been part of the botnet for an extended period before being detected.
Small offices are particularly exposed. They often rely on consumer-grade hardware without dedicated IT staff. The AVRecon malware powering SocksEscort was specifically engineered to target these SOHO (small office/home office) devices — they were the path of least resistance.
The problem is structural. Millions of routers worldwide are running firmware that hasn't been updated in years, with factory-default credentials that were never changed. That persistent vulnerability is exactly what criminal networks like SocksEscort are designed to exploit.
What This Takedown Means — and What It Doesn't
Operations like this one genuinely matter. Taking down SocksEscort disrupts an active criminal ecosystem, cuts off revenue for its operators, and forces anyone relying on the service to scramble. For victims of the fraud it enabled, it represents a measure of accountability.
But it's worth being realistic. The demand for criminal proxy services doesn't disappear when one network is dismantled. Other botnets exist. New ones will be built. The underlying vulnerability — millions of insecure, unpatched routers connected to the internet — remains largely unchanged.
What is changing is the sophistication of the response. Cross-border law enforcement collaboration of this scale represents a maturing model for fighting threats that, by design, ignore national borders. Each successful takedown raises the cost and risk for whoever builds the next one.
Steps You Can Take to Protect Your Router Right Now
If you own a home or small business router, this case is a compelling reason to act today. You don't need technical expertise to meaningfully reduce your exposure.
Start by logging into your router's admin panel and checking for a firmware update. Manufacturers periodically release patches that close known vulnerabilities, and installing them takes minutes. If your router is several years old and no longer receiving updates, consider replacing it.
Change your router's default administrator credentials if you haven't already. Default passwords are publicly documented — they're among the first things attackers try. A strong, unique password closes that door immediately.
Finally, disable remote management features unless you actively need them. These settings allow access to your router from outside your home network and are a common exploitation vector when left on by default. Turning them off costs nothing.
Criminal Infrastructure Is Being Targeted
The SocksEscort operation fits a broader pattern that has accelerated in recent years. Law enforcement agencies have increasingly set their sights not just on individual criminals, but on the infrastructure that makes large-scale cybercrime possible — the markets, the hosting services, the botnets.
The result is that operating criminal infrastructure has become measurably riskier. When a network like SocksEscort gets dismantled after years of operation, it signals to anyone building the next one that they too can be found, tracked, and shut down.
The 369,000 devices that SocksEscort enslaved have been cut free. The people whose bank accounts were raided and whose connections were used without their knowledge didn't ask to be part of a criminal network. This week, at least, they aren't anymore.
