DOJ and Europol dismantle SocksEscort proxy network, freeze $3.5M in crypto

US and European law enforcement disrupted SocksEscort, a malicious proxy service that since 2020 had compromised at least 369,000 routers and IoT devices across 163 countries to provide anonymized proxies for criminal use. Agencies seized 34 domains, disrupted 23 servers in seven countries and froze roughly $3.5 million in cryptocurrency. Europol estimates the service received about €5 million (~$5.7M) in crypto payments. The coordinated takedown involved authorities from Austria, France, the Netherlands, Germany, Hungary, Romania and the US (including the FBI Sacramento Field Office, DoD DCIS and IRS-CI Oakland), supported by Europol, Eurojust, Black Lotus Labs and the Shadowserver Foundation. Investigators linked the network to malware named AVrecon and to crimes such as ransomware, DDoS, bank fraud and cryptocurrency account takeovers; prosecutors cited victims including a New York crypto exchange customer defrauded of about $1 million. The disruption removes infrastructure used to hide attackers’ IP addresses, likely hindering operations that enable bank fraud and crypto theft in the short term. Crypto traders should watch for reduced velocity in theft-driven outflows from exchanges and continued law-enforcement pressure on privacy-for-hire services; frozen assets and seized infrastructure may also produce temporary changes in on-chain movement patterns for addresses tied to the operation.