On March 11, Europol and the U.S. Department of Justice jointly announced the results of “Operation Lightning,” successfully dismantling the malicious proxy service “SocksEscort.” U.S. authorities froze $3.5 million in cryptocurrency related to this case, and seven countries seized 34 domains and 23 servers.
Operation Scale: Quantitative Results from Cross-Border Law Enforcement
The investigation began in June 2025, led by Europol’s Cybercrime Action Team (J-CAT). It uncovered a botnet composed of infected home routers, secretly recruited as proxy servers to hide the source of cybercriminal activities.
The Eastern District of California U.S. Attorney’s Office reported that by February 2026, approximately 8,000 infected routers had been recorded through the SocksEscort app, with about 2,500 located within the United States. The associated payment platforms are estimated to have received over $5.7 million in cryptocurrency, with U.S. authorities freezing $3.5 million of that amount.
Catherine De Bolle, Executive Director of Europol, stated, “By dismantling this infrastructure, law enforcement has disrupted a service that facilitates cybercrime on a global scale.”
Criminal Uses of SocksEscort: From Crypto Account Theft to Child Exploitation
U.S. Department of Justice charges reveal that the SocksEscort proxy network was used for various criminal activities:
Bank and Cryptocurrency Account Hijacking: Using proxies to conceal access sources and carry out account takeover attacks.
False Unemployment Benefits Claims: Submitting welfare applications under others’ identities to fraudulently obtain government funds.
Ransomware Attacks: Distributing and deploying ransomware through the proxy network.
DDoS Attacks: Using botnet routers to execute distributed denial-of-service attacks.
Distribution of Child Sexual Abuse Material (CSAM): Spreading illegal content via infected devices.
U.S. federal prosecutors cited multiple specific victim cases: a New York cryptocurrency exchange customer allegedly lost $1 million in digital assets; a Pennsylvania manufacturer reportedly lost $700,000; and several active and retired military personnel are said to have been defrauded of a total of $100,000.
Frequently Asked Questions
What is SocksEscort, and how does it work?
SocksEscort is a malicious proxy service that infects routers and IoT devices in homes and small businesses worldwide, turning these infected devices into proxy servers and offering access to paying customers. Clients can use these “residential proxies” to mask their real network activity sources, effectively conducting criminal activities using ordinary home user IP addresses.
How much cryptocurrency was frozen in this operation, and which countries were involved?
U.S. authorities froze $3.5 million in cryptocurrency related to this case. The payment platforms involved are estimated to have received over $5.7 million in total. Law enforcement actions took place in seven countries, seizing 34 domains and 23 servers.
How is SocksEscort used in cryptocurrency scams?
Criminals use SocksEscort’s proxy servers to hide their network connection sources, launching account takeover attacks on cryptocurrency accounts from locations that appear to be legitimate residential IP addresses, bypassing geo-based security measures. In one case, a New York-based crypto exchange customer was reportedly defrauded of $1 million worth of digital assets through this method.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
The Russian Federal Security Service cracked down on Telegram investment channel market manipulation, involving 19 companies and 55k illegal transactions
The Federal Security Service of Russia arrested three Telegram investment channel admins for manipulating stock prices through a "Pump&Dump" strategy, involving more than 55k trades across 19 large companies. Research shows that 11% of Telegram investment signals can affect stock returns, and more than 60% of investors rely on such signals. The central bank warned that it will monitor unusual transactions.
GateNews1h ago
Is it possible to bypass Financial Supervisory Commission (FSC) rules for buying crypto with card payments? O’DinDin promotes Wallet Pro, a service for buying crypto with a U.S. card payment
Odin Ding has launched the OwlPay and Wallet Pro services, focusing on B2B cross-border payments. By combining stablecoin technology with international financial systems, it showcases its fintech transformation. Through its partnership with MoneyGram, Wallet Pro enables cross-border transfers for cash purchases of stablecoins and operates in the U.S. market. The company’s offshore model avoids Taiwan’s strict regulation, and under the new draft legislation, it challenges the market competitive landscape; in the future, it will affect local operators’ compliance strategies.
CryptoCity1h ago
South Korean “retaliation intermediary” agencies charged USDT to carry out violent crimes, and continued operating even after the main suspect was arrested
South Korea has recently seen multiple “revenge intermediary” organizations that use cryptocurrency as a payment method. They offer intimidation and murder services via Telegram. Even though the main culprit has been arrested, related advertisements are still being posted. Police are investigating more than 50 cases and have arrested about 30 people.
GateNews2h ago
Encourage innovation! A U.S. judge in France bans Arizona’s regulation of prediction markets and pauses the prosecution against Kalshi.
A U.S. federal district court ruled that Arizona is prohibited from using its gambling laws to prosecute the prediction market platform Kalshi, concluding that the Commodity Futures Trading Commission has exclusive jurisdiction. The ruling affects the boundary between state and federal authority in regulating financial markets, and Kalshi maintains that its business is a financial product rather than traditional gambling. Decisions on prediction markets differ across states, and the Trump family has also expressed support for prediction markets.
CryptoCity3h ago
Can bypassing Taiwan Financial Supervisory Commission (FSC) regulations to buy crypto with a credit card be feasible? Oding Oding launches a U.S. debit card crypto purchase service, Wallet Pro
OdinTin launches OwlPay and Wallet Pro services, focusing on B2B cross-border payments. By combining stablecoin technology with international financial systems, it demonstrates its fintech transformation. Through its partnership with MoneyGram, Wallet Pro enables cross-border transfers of stablecoins purchased with cash and operates in the U.S. market. The company’s offshore model sidesteps Taiwan’s strict regulation, and under the new draft law it will challenge the competitive landscape, which in the future will affect local providers’ compliance strategies.
CryptoCity4h ago
