Authorities from multiple countries dismantled SocksEscort, a residential proxy network cybercriminals used to commit large-scale fraud, claiming access to about 369,000 IP addresses since 2020, the Justice Department said Thursday.

Europol, which aided the investigation alongside various law enforcement agencies, Lumen’s Black Lotus Labs and the Shadowserver Foundation, said the malicious proxy service compromised routers and IoT devices in 163 countries. Officials said the proxy network’s payment platform received about $5.8 million from its customers.

The globally coordinated action, dubbed Operation Lightning, took down and seized 34 domains and 23 servers in seven countries. U.S. officials froze a combined $3.5 million in cryptocurrency allegedly linked to the botnet that was created from infected devices.

“Cybercrime thrives on anonymity,” Catherine De Bolle, executive director at Europol, said in a statement. “Proxy services like SocksEscort provide criminals with the digital cover they need to launch attacks, distribute illegal content and evade detection.”

SocksEscort’s operators assembled the botnet by exploiting a vulnerability in residential modems from an unnamed vendor, according to officials.

The cybercrime operation defrauded Americans and U.S. businesses of millions of dollars, the Justice Department said. More than one-quarter of the 8,000 infected routers SocksEscort advertised in February were based in the United States.  

SocksEscort began operating in 2009 and its command-and-control infrastructure went undetected by most tools for a very long time, Ryan English, information security engineer at Black Lotus Labs, told CyberScoop.

The botnet’s infrastructure, which was powered by AVRecon malware, was elusive and maintained a consistently high volume, claiming an average 20,000 victims weekly since early 2024. Its impact peaked in January 2025 when it ensnared more than 15,000 victims daily, according to Black Lotus Labs’ research. 

The company said it observed 280,000 unique IPs as victims of the proxy network since early 2025, and more than half of SocksEscort’s victims were based in the United States and United Kingdom.

“Given the high volume of victim generation, it would not surprise me if they eventually hit something really important that moved them up the list of networks to go after,” Chris Formosa, senior lead information security engineer at Black Lotus Labs, told CyberScoop. 

“They were exclusively marketing to cybercriminals and nowhere else,” he added. “With a network like this, once law enforcement gains legal access to backend infrastructure it can give them a lot of intelligence on other threat actors besides the botnet operators.”

Various agencies from Austria, Bulgaria, Eurojust, France, Germany, Hungary, the Netherlands and Romania assisted in the investigation and takedown.

The post Authorities takedown global proxy network SocksEscort appeared first on CyberScoop.

Millions of devices used as proxies by cybercriminals, espionage groups and data thieves have been removed from circulation following Google’s disruption of IPIDEA, a China-based residential proxy network. The reduction in available proxy devices came after Google’s Threat Intelligence Group used legal action and intelligence sharing to target the company’s domain infrastructure, Google said in a blog post Wednesday. 

Google’s action, aided by Cloudflare, Lumen’s Black Lotus Labs and Spur, impaired some of IPIDEA’s proxy infrastructure, but not all of it. The coordinated strikes against malicious infrastructure underscore the back-and-forth struggle threat hunters confront when they take out pieces of cybercriminals’ vast and growing infrastructure. 

Initial data indicates IPIDEA’s proxy network was cut by about 40%.

“We have still seen around 5 million distinct bots communicating with the IPIDEA command and control servers, so as of now they are still able to operate with a large volume of proxies,” Chris Formosa, senior lead information security engineer at Lumen Technologies’ Black Lotus Labs, told CyberScoop Thursday.

Lumen was tracking a daily average of about 8.5 million proxies connecting to IPIDEA’s servers before some of its domains were taken offline this week. “The true population was likely closer to 10-11 million, but we could only see 8.5 million of them with our visibility,” Formosa said.

Google researchers discovered a cluster of seemingly independent proxy and virtual private network brands controlled by IPIDEA. Google found several domains also owned by IPIDEA supporting software development kits for residential proxies embedded into existing applications.

Developers who add these SDKs to their apps are paid by IPIDEA, typically on a per-download basis. “These SDKs are the key to any residential proxy network—the software they get embedded into provides the network operators with the millions of devices they need to maintain a healthy residential proxy network,” Google said in the report.

Residential proxy networks can serve a legitimate purpose, but researchers have been warning that unethical or outright criminal operators are abusing these networks to build and support botnets, cybercrime campaigns, espionage and other malicious activity.

“The residential proxy industry appears to be rapidly expanding, and GTIG’s research indicates that the vast majority of its growth is fueled by malicious use,” Charley Snyder, senior manager at GTIG, told CyberScoop. “GTIG found that these proxies are overwhelmingly misused by bad actors.”

Researchers said many service providers are packaging proxy malware in software that users are downloading, and unwittingly allowing proxy networks to hijack consumer bandwidth to obscure cybercrime.

Earlier this month, Google said it observed more than 550 distinct threat groups, including some from China, North Korea, Iran and Russia, using IP addresses tracked as IPIDEA exit notes during a seven-day period. These threat groups accessed victim cloud environments, on-premises infrastructure and initiated password-spray attacks, according to Google.

Security teams and cyber authorities are placing more attention on the systems and scaffolding that support cybercrime, effectively trying to squeeze resources and place additional pressure on their activities.

“By targeting the tools criminals use rather than just the criminals themselves, defenders can impose significant costs on the ecosystem in a way that can’t easily or quickly be regenerated,” Snyder said. 

Google’s actions severed the command-and-control links between operators and millions of devices, and took down storefronts, negating the investments IPIDEA made to gain brand awareness and traction, he added. 

While Google took a big bite out of IPIDEA’s infrastructure, the fight against the company and others continues. 

“This is a very complex ecosystem with dozens, if not hundreds, of brands and shell entities,” Snyder said. “While our disruption is significant, this ecosystem is built on anonymity and shared resources. They’ve survived takedowns before, so we are pleased by the progress we’ve made but know there is more to do.”

The post Google’s disruption rips millions out of devices out of malicious network appeared first on CyberScoop.

The Kimwolf botnet, which splintered off from the record-setting Aisuru DDoS botnet in August, gained the widespread attention of security researchers when it temporarily claimed the top spot in Cloudflare’s global domain rankings in late October 2025.

Within weeks it spread like a wildfire, eventually taking over more than 2 million unofficial Android TV devices, according to Synthient, after its operators figured out how to abuse residential proxy networks for local control.

“That is an untapped population of bots that they were able to access that nobody else was able to access from a botnet perspective,” Chris Formosa, senior lead information security engineer at Lumen Technologies’ Black Lotus Labs, told CyberScoop.

Formosa, who has been monitoring the rise of Aisuru for more than a year, said the seizure of Rapper Bot paired with the arrest of its alleged leader in August paved the way for Aisuru and Kimwolf, which are run by some of the same cybercriminals, to gain full strength.

Behind the scenes, Lumen, along with industry partners, had gathered enough evidence on Kimwolf’s backend to spring into action, by null-routing or dropping packets originating from the botnet’s command and control (C2) infrastructure. 

Since early October, Lumen has blocked more than 550 C2s or IP addresses linked to Aisuru and Kimwolf’s servers, said Ryan English, information security engineer at Black Lotus Labs.

Lumen’s efforts caught the ire of Kimwolf’s operators, who responded by loading a profane greeting to the global network operator in a DDoS payload. This type of provocation, which Kimwolf’s operators have often leaned into, is a clear sign the group is financially motivated and not supported by a nation-state, according to Formosa.

Kimwolf’s DDoS attacks are generally deployed in short bursts of one-to-two minutes, but some attacks have extended for hours, Formosa said. 

“Primarily, it seems like Minecraft is one of their favorites. Almost every day you can see Minecraft servers constantly getting blown up,” he added.

Technical research published by XLab, Synthient and Lumen demonstrates how the botnet’s operators have quickly spun up and abandoned infrastructure or shifted tactics to evade detection and remain operational. Researchers are hopeful Kimwolf has already reached its maximum potential, yet the botnet’s operators could still exploit another proxy service and take over a new assortment of devices. 

Kimwolf hasn’t targeted critical infrastructure thus far, but it has the potential to cause severe damage if it were used for that purpose. Meanwhile, the malicious traffic the botnet controls isn’t harmless — DDoS attacks can spread beyond intended targets by causing downtime, congesting data and affecting unrelated services and operations.

In September, just as Kimwolf was forming, the Aisuru botnet achieved a record-breaking 29.7 terabits-per-second DDoS attack that lasted 69 seconds, according to Cloudflare.

“This is one of those really dangerous things that you see lying around that you just can’t leave lying around, and hope that nobody with really bad intentions decides to pick it up and use it,” English said. 

DDoS attacks aren’t the most captivating form of cybercrime, but they still work and they are growing exponentially in size, he added. “That’s the thing about defense in cybersecurity. You’ve got to let them know that somebody is going to try to stop them.”

The post Kimwolf botnet’s swift rise to 2M infected devices agitates security researchers appeared first on CyberScoop.