U.S. and European law enforcement, assisted by private partners including Lumen’s Black Lotus Labs, disrupted the SocksEscort proxy network that routed traffic through edge devices compromised by the AVRecon Linux malware, which had averaged about 20,000 infected devices weekly and advertised “clean” ISP IPs. Authorities seized domains and servers, froze $3.5 million in cryptocurrency, disconnected infected devices, and warned that AVRecon and related threats like KadNap continue to target SOHO and ASUS routers. #AVRecon #SocksEscort
Keypoints
- Law enforcement and private partners dismantled the SocksEscort proxy service built on AVRecon-infected edge devices.
- SocksEscort advertised access to “clean” IPs from major ISPs such as Comcast, Spectrum, Verizon, and Charter.
- The DOJ links the service to thefts and frauds causing millions in losses, including a cryptocurrency theft and MILITARY STAR card fraud.
- Europol and U.S. agencies seized domains and servers, froze $3.5 million in crypto, and disconnected the network’s infected devices.
- Researchers say AVRecon infected tens of thousands of Linux SOHO routers and warn of ongoing threats like KadNap; recommended defenses include updating firmware, replacing EOL routers, changing default passwords, and disabling unnecessary remote access.