Authorities in Europe arrested 29 alleged cybercriminals and took down more than 27,000 illegal streaming URLs that pirated major sporting events, films and TV programming, Europol said Wednesday.

The continent-wide collaboration, led by Bulgaria and the European Union’s police agency, allowed authorities to dismantle nine organized crime groups supporting the illicit streaming networks, officials said. “Operation Kratos 2” focused on disrupting the networks’ underlying infrastructure and stretched for seven months before coming to a close in April. 

Officials did not name the suspects, groups or services targeted during the crackdown, but noted that investigators identified key players responsible for managing and operating the piracy platforms.

Europol said the streaming sites infringed on nearly 850,000 media across 169 domains. 

“What appears to consumers as cheap access to premium content is powered by complex criminal enterprises,” the agency said in a news release. Illegal streaming site operators host separate servers for customer-facing websites and illegal content, and distribute their services across multiple countries.

During the course of the operation, officials conducted 148 house searches, identified 86 suspects and referred 59 cases to courts for criminal proceedings. 

Investigators also worked with private-sector partners to identify nearly 4,400 new domains and more than 18,000 IP addresses linked to piracy and other illegal activity. Those efforts allowed authorities to report almost 400,000 additional URLs for suspension or removal. 

Live sports piracy networks are widespread and consistently tracked by antipiracy coalitions and authorities globally. Authorities in Egypt last year shut down Streameast, the most popular and largest illegal live sports streaming network at the time, with an operation that spanned 80 domains and logged more than 1.6 billion visits during the year prior.

Operation Kratos 2 was supported by anti-piracy associations, UEFA Europa League, La Liga, beIN Media Group and officials from Belgium, Bulgaria, Croatia, France, Greece, Ireland, Italy, the Netherlands, Poland, Romania, Spain, the United Kingdom and the United States.

The post European authorities crack down on illegal streaming networks appeared first on CyberScoop.

Authorities from multiple countries dismantled SocksEscort, a residential proxy network cybercriminals used to commit large-scale fraud, claiming access to about 369,000 IP addresses since 2020, the Justice Department said Thursday.

Europol, which aided the investigation alongside various law enforcement agencies, Lumen’s Black Lotus Labs and the Shadowserver Foundation, said the malicious proxy service compromised routers and IoT devices in 163 countries. Officials said the proxy network’s payment platform received about $5.8 million from its customers.

The globally coordinated action, dubbed Operation Lightning, took down and seized 34 domains and 23 servers in seven countries. U.S. officials froze a combined $3.5 million in cryptocurrency allegedly linked to the botnet that was created from infected devices.

“Cybercrime thrives on anonymity,” Catherine De Bolle, executive director at Europol, said in a statement. “Proxy services like SocksEscort provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection.”

SocksEscort’s operators assembled the botnet by exploiting a vulnerability in residential modems from an unnamed vendor, according to officials.

The cybercrime operation defrauded Americans and U.S. businesses of millions of dollars, the Justice Department said. More than one-quarter of the 8,000 infected routers SocksEscort advertised in February were based in the United States.  

SocksEscort began operating in 2009 and its command-and-control infrastructure went undetected by most tools for a very long time, Ryan English, information security engineer at Black Lotus Labs, told CyberScoop.

The botnet’s infrastructure, which was powered by AVRecon malware, was elusive and maintained a consistently high volume, claiming an average 20,000 victims weekly since early 2024. Its impact peaked in January 2025 when it ensnared more than 15,000 victims daily, according to Black Lotus Labs’ research. 

The company said it observed 280,000 unique IPs as victims of the proxy network since early 2025, and more than half of SocksEscort’s victims were based in the United States and United Kingdom.

“Given the high volume of victim generation, it would not surprise me if they eventually hit something really important that moved them up the list of networks to go after,” Chris Formosa, senior lead information security engineer at Black Lotus Labs, told CyberScoop. 

“They were exclusively marketing to cybercriminals and nowhere else,” he added. “With a network like this, once law enforcement gains legal access to backend infrastructure it can give them a lot of intelligence on other threat actors besides the botnet operators.”

Various agencies from Austria, Bulgaria, Eurojust, France, Germany, Hungary, the Netherlands and Romania assisted in the investigation and takedown.

The post Authorities takedown global proxy network SocksEscort appeared first on CyberScoop.