International Investigative Team, Including Members from Austria’s BKA and the U.S. FBI, Shuts Down “SocksEscort”

The operation, conducted under the code name “Operation Lightning,” marks one of the most significant successes against global cybercrime this year. On March 11, 2026, authorities succeeded in dismantling the complex network of infected devices and control systems.

A Botnet from the Living Room

SocksEscort operated according to this insidious principle. Using the “AVrecon” malware, the operators infected hundreds of thousands of private routers and Internet of Things (IoT) devices worldwide. Since 2020, over 369,000 IP addresses in 163 countries are believed to have been compromised.

The unsuspecting owners of the devices usually did not realize that their internet connection was being rented by criminals to launch ransomware attacks, carry out DDoS attacks, conceal bank fraud and identity theft, and distribute illegal content.

How “AVrecon” worked

The AVrecon malware was the technological backbone of SocksEscort. Unlike conventional viruses that steal data or lock computers, AVrecon specializes in building an “invisible” network. The malware specifically targeted routers (often from manufacturers like TP-Link, ASUS, or Netgear) and IP cameras running on default passwords or outdated firmware.

Once infected, the device became a so-called SOCKS5 proxy. This means that a criminal on the other side of the world could route their internet traffic through your router. To websites or banks, it appeared as though the request was coming from a legitimate private household in Austria or Germany, not from a hacker’s server.

AVrecon used a dual control system. One part of the malware communicated with the command-and-control (C2) server to receive instructions, while another part handled the actual data traffic of the “clients” (other criminals). The malware was programmed to consume minimal CPU power so as not to be noticed by the user due to a slowdown in internet speed.

“Operation Day”

During the operation, a total of 34 domains were seized, and 23 servers in seven different countries were taken offline. In addition, U.S. authorities froze cryptocurrencies worth approximately $3.5 million. In Austria, Federal Criminal Police Office Director Andreas Holzer emphasized the importance of cross-border cooperation: “Operation Lightning demonstrates once again that sustainable success can only be achieved through close international cooperation.”

The Role of the Austrian Federal Criminal Police Office

Austria was not merely a bystander in this operation, but a strategic hub. On the Austrian side, the lead role was played by the C4 unit of the Federal Criminal Police Office. This specialized department focuses on the investigation of cyber infrastructures.

A significant part of the investigation involved analyzing servers, some of which were rented through Austrian hosting providers or controlled via Austrian IP addresses. Experts from the BK helped trace the money flows (cryptocurrencies) back to the masterminds. Since SocksEscort had been operating since 2009, the BK provided valuable long-term data from earlier investigations that helped piece together the puzzle of the server infrastructure.

The name is derived from the SOCKS (Socket Secure) network protocol. Within the scene, the service was considered particularly “reliable” because it offered a huge selection of residential IPs that were not yet listed on so-called blacklists (blocklists for spam or hackers).

Protection for the Future

Investigators warn that older router models in particular were vulnerable due to security flaws in the firmware. Users are urged to update their devices regularly to avoid becoming part of such a botnet.

The shutdown of SocksEscort dismantled an infrastructure that had generated an estimated 5 million euros in revenue from criminal customers. Investigations into the masterminds behind the operation are ongoing worldwide.

Europol

U.S. Embassy Vienna

BMI

U.S. Department of Justice

BK