American and European law enforcement agencies announced a sweeping operation against cyber infrastructure that enabled hackers to conceal their identities during online fraud. Authorities reported on Thursday that they had disrupted the SocksEscort service, which investigators say was used in financial fraud including the takeover of cryptocurrency accounts.
The operation targeted an extensive network of devices worldwide. Investigators simultaneously seized dozens of domains, took servers offline in several countries, and froze millions of dollars in cryptocurrency connected to the operation.
Article Contents:
Network infected hundreds of thousands of devices
According to the U.S. Department of Justice (DOJ), the SocksEscort platform functioned as a proxy service that allowed criminals to mask their real internet address. This enabled them to conduct fraudulent operations while making it difficult to trace their actual identity.
Investigators report that the service compromised at least 369,000 routers and other internet-connected devices in 163 countries. The infected devices were subsequently used as intermediaries through which attackers routed their communications and concealed their real IP addresses.
Such infrastructure is commonly used in cybercriminal activities, for example in phishing attacks, bank fraud, or takeovers of accounts on cryptocurrency exchanges.
You might also like: Crypto Fraudsters Bribed X Employees
Criminals paid anonymously with cryptocurrency
According to Europol, the service operated at least since 2020 and its operators generated millions in revenue from it. Customers purchased access to the proxy network through a payment platform that allowed anonymous payments in cryptocurrency.
Investigators estimate that the service operators received at least five million euros from users, approximately $5.7 million. Cryptocurrency in this case served as a medium that enabled relatively anonymous financing of the entire operation.
Police seizure confiscated domains and cryptocurrency
International investigation led to significant disruption of the entire network’s infrastructure. Authorities reported that they managed to seize 34 internet domains and disrupt approximately two dozen servers in seven countries. Simultaneously, they froze approximately $3.5 million in cryptocurrency connected to the operation.
Investigators also note that the service was used in a wide range of financial fraud. In one case cited by American prosecutors, a victim from New York lost approximately one million dollars in cryptocurrency.
Read also: Trust Wallet Review: Take Control of Your Cryptocurrency with Confidence
AVrecon malware helped build the infrastructure
According to The Hacker News, the SocksEscort infrastructure was built on malware known as AVrecon. It enabled attackers to compromise internet devices and incorporate them into an extensive proxy network.
The functioning of this malware was previously described by the security team Black Lotus Labs from Lumen Technologies, which published its details in July 2023. Black Lotus Labs provided investigators with important technical information that helped identify the infrastructure.
The investigation also involved the non-profit organization Shadowserver Foundation, which provided additional technical analysis and intelligence information.
Cybercrime and cryptocurrency
According to security experts, the SocksEscort case demonstrates a broader trend of recent years. Cybercriminal activity is increasingly connected to the cryptocurrency ecosystem, which can serve as a tool for financing illegal activities through digital transactions.
Europol Executive Director Catherine De Bolle warned in this regard that proxy services of this type provide criminals with “digital cover” that enables them to launch attacks, distribute illegal content, or evade detection.
At the same time, it is true that blockchain transparency often allows investigators to track the flow of funds. In this case too, it was possible to identify and freeze part of the cryptocurrency connected to the operation.
Don’t miss: MadisonSix
