Authorities from multiple countries dismantled SocksEscort, a residential proxy network cybercriminals used to commit large-scale fraud, claiming access to about 369,000 IP addresses since 2020, the Justice Department said Thursday.

Europol, which aided the investigation alongside various law enforcement agencies, Lumen’s Black Lotus Labs and the Shadowserver Foundation, said the malicious proxy service compromised routers and IoT devices in 163 countries. Officials said the proxy network’s payment platform received about $5.8 million from its customers.

The globally coordinated action, dubbed Operation Lightning, took down and seized 34 domains and 23 servers in seven countries. U.S. officials froze a combined $3.5 million in cryptocurrency allegedly linked to the botnet that was created from infected devices.

“Cybercrime thrives on anonymity,” Catherine De Bolle, executive director at Europol, said in a statement. “Proxy services like SocksEscort provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection.”

SocksEscort’s operators assembled the botnet by exploiting a vulnerability in residential modems from an unnamed vendor, according to officials.

The cybercrime operation defrauded Americans and U.S. businesses of millions of dollars, the Justice Department said. More than one-quarter of the 8,000 infected routers SocksEscort advertised in February were based in the United States.  

SocksEscort began operating in 2009 and its command-and-control infrastructure went undetected by most tools for a very long time, Ryan English, information security engineer at Black Lotus Labs, told CyberScoop.

The botnet’s infrastructure, which was powered by AVRecon malware, was elusive and maintained a consistently high volume, claiming an average 20,000 victims weekly since early 2024. Its impact peaked in January 2025 when it ensnared more than 15,000 victims daily, according to Black Lotus Labs’ research. 

The company said it observed 280,000 unique IPs as victims of the proxy network since early 2025, and more than half of SocksEscort’s victims were based in the United States and United Kingdom.

“Given the high volume of victim generation, it would not surprise me if they eventually hit something really important that moved them up the list of networks to go after,” Chris Formosa, senior lead information security engineer at Black Lotus Labs, told CyberScoop. 

“They were exclusively marketing to cybercriminals and nowhere else,” he added. “With a network like this, once law enforcement gains legal access to backend infrastructure it can give them a lot of intelligence on other threat actors besides the botnet operators.”

Various agencies from Austria, Bulgaria, Eurojust, France, Germany, Hungary, the Netherlands and Romania assisted in the investigation and takedown.

The post Authorities takedown global proxy network SocksEscort appeared first on CyberScoop.

A trio of domains that allegedly distributed pirated content, including movies, TV shows, video games and other content was seized by the U.S. government as part of a globally coordinated crackdown on copyright infringement, the Justice Department said Friday.

The sites — zamunda.net, arenabg.com and zelka.org — were among the most popular domains in Bulgaria and likely generated significant revenue from ads, officials said. Seizure notices are currently displayed on all three sites warning visitors that illegal distribution of copyrighted works is a crime.

Officials said the U.S.-registered domains received tens of millions of visits a year, including one that often ranked in the top 10 most visited sites in Bulgaria. Multiple Bulgarian agencies assisted with the investigation alongside Homeland Security Investigations, the U.S. Attorney’s Office for the Southern District of Mississippi and the National Intellectual Property Rights Coordination Center.

The sites offered visitors thousands of infringed works, resulting in millions of downloads that carry a collective retail value of millions of dollars, prosecutors said. 

The seizures were announced just days after similar actions in Italy where police seized three allegedly illegal IPTV services that distributed pirated content to millions of users. The operation, dubbed “Switch off,” dismantled IT infrastructure the unnamed sites used to distribute content owned by Sky, Dazn, Mediaset, Amazon Prime, Netflix, Paramount, Disney+ and other media companies, officials said.

Italian police said they found evidence linking the IPTV sites to 31 members of a transnational organized crime group and searched the suspects’ residences in Italy. Authorities identified an additional 14 suspects in the United Kingdom, Spain, Romania and Kosovo. 

“The suspects adopted advanced anonymization strategies that have materialized in a series of operations, such as investing in cryptocurrencies, the fictitious heading of assets and the establishment of fictitious companies,” Italian State Police said in a statement.

The actions in Italy were announced about a week before the country hosts the Winter Olympics in Milan, which gets underway Feb. 6.

The post DOJ seizes piracy sites, Italian police dismantle illegal IPTV operation appeared first on CyberScoop.