Europol and international partners disrupt ‘SocksEscort’ proxy service

During the action day, law enforcement agencies successfully took down and seized 34 domains as well as 23 servers located in seven countries. In addition, the United States froze a total of USD 3.5 million in cryptocurrency. The infected modems used to offer the proxy service have been disconnected from the service. Following this takedown, law enforcement authorities will alert the affected countries, paving the way for further investigative initiatives.

Magnus Brunner

EU Commissioner for Internal Affairs and Migration

This operation demonstrates how crucial close international cooperation is in the fight against cybercrime. When European law enforcement authorities act together with partners across the Atlantic, we can effectively dismantle criminal networks and better protect our citizens. Europol plays a central role as a hub for information exchange and operational cooperation in confronting the increasingly global nature of cybercrime with determination.

Catherine De Bolle

Executive Director, Europol

Cybercrime thrives on anonymity. Proxy services like ‘SocksEscort’ provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection. By dismantling this infrastructure, law enforcement has disrupted a service that enabled cybercrime on a global scale. Operations like this show that when investigators connect the dots internationally, the infrastructure behind cybercrime can be exposed and shut down.

Devices infected via exploited vulnerabilities

The investigation, which began in June 2025 with the opening of a case by Europol’s Joint Cyberaction Task Force (J-CAT), revealed that a botnet of infected devices was created. These devices, primarily residential routers, were exploited to facilitate various criminal activities, including ransomware, DDoS attacks, and the distribution of child sexual abuse material (CSAM).

The compromised devices were infected through a vulnerability in the residential modems of a specific brand. Customers of the criminal service paid for licences to abuse these infected devices, hiding their original IP addresses to engage in various criminal activities. To protect against such exploits, users, and vendors are advised to update the firmware of their devices regularly.

Criminal service platform

The website offered a paid proxy service, giving its customers access to the compromised IP addresses, allowing them to hide their own. Access to the used IP addresses was made possible by infecting malware on modems belonging to individuals or organisations across the globe. Upon infection with the malware, the modems’ owners would not be aware that their IP addresses were used for illegitimate activities.

To get access to the proxy service, customers had to use a payment platform that made it possible to anonymously purchase the service using cryptocurrency. It is estimated that this payment platform received more than EUR 5 million from proxy service customers.

Europol as intelligence hub

Europol played a crucial role in supporting the investigation by participating in online and physical meetings, hosting and participating in data sprints, conducting crypto tracing, malware analysis, and network flow analysis. The Agency also provided operational analytical support, cross-checks against its databases, and created and distributed intelligence products.

On the action day, Europol hosted a Virtual Command Post in its premises in The Hague, the Netherlands, to facilitate coordination between all partners. Additionally, Europol offered remote support from the Command Post set up at Eurojust for crypto tracing and other investigative support. This operation highlights the importance of international cooperation in combating cybercrime.

Participating countries and agencies:

• Austria: Vienna Public Prosecutors Office (Staatsanwaltschaft Wien) Criminal Intelligence Service – Cybercrime-Competence-Center (Bundeskriminalamt – C4)
• Bulgaria: Cybercrime Directorate of the General Directorate Combating Organized Crime – Ministry of Interior
• Eurojust
• Europol
• France: Public Prosecution Office Paris J3 section anti-cybercriminality; Investigative judge from JIRS/JUNALCO Financial and Cybercrime section – Court of Paris; Judicial Police – Office for Cybercrime Prevention (Police judiciaire – office anti-cybercriminalité (OFAC))
• Germany: Düsseldorf Police Headquarters; Central Contact Point for Cybercrime North Rhine-Westphalia (ZAC NRW)
• Hungary: Prosecution Service of Hungary; National Bureau of Investigation Cybercrime Department (Nemzeti Nyomozó Iroda Kiberbűnözés Elleni Főosztály)
• Netherlands: Public Prosecutors Office (Openbaar Ministerie); Police (Politie)
• Romania: Prosecution Office of the High Court of Cassation and Justice; Directorate for investigation of Organized Crime and Terrorism, Central Office; Directorate for Combating Organized Crime, Central Cybercrime Unit; General Inspectorate of the Romanian Police
• United States of America: U.S. Department of Justice; U.S. Attorney’s Office for the Eastern District of California; Federal Bureau of Investigation (FBI); IRS Criminal Investigation (IRS-CI); The Department of Defense Office of Inspector General’s Defense Criminal Investigative Service