On March 12, 2026, an international law enforcement operation codenamed "Operation Lightning" dismantled a criminal proxy service called SocksEscort. If you have never heard of SocksEscort, congratulations — you are normal. But your router might know it intimately.
SocksEscort turned 369,000 home and small business routers across 163 countries into a criminal botnet. Your grandma's Netgear. Your cousin's TP-Link. That old D-Link in the closet that nobody has updated since 2021. All quietly hijacked, all routing criminal traffic without their owners having a clue.
I spent Wednesday evening reading the FBI alert and the Europol press release, and honestly? This one hits different. Because unlike most cybersecurity stories where the target is a Fortune 500 company or a government agency, this one is about the router sitting three feet from where you are reading this article.
What SocksEscort Actually Did
The business model was simple and, in a morbid way, elegant. SocksEscort sold access to compromised residential routers as proxy services. Their customers — mostly other criminals — could route their internet traffic through your home network, making it appear as though they were browsing from your IP address.
Why would criminals want this? Because residential IP addresses are trusted. When a bank sees a login attempt from a known residential ISP in Wichita, Kansas, it does not raise the same red flags as traffic from a datacenter in Moldova. Your router was not just compromised — it was laundering traffic.
The Price List Will Make You Uncomfortable
SocksEscort's pricing page — which was apparently just sitting there on the open web like a normal SaaS product — offered packages starting at $15 per month for 30 proxies. Want 5,000 compromised home routers to route your criminal activity through? That will be $200 per month.
My colleague Tom saw the pricing and said: "That is literally cheaper than my Cloudflare plan. We are in the wrong business." (He was joking. I think.)
The service advertised "static residential IPs with unlimited bandwidth" and claimed they could bypass spam blocklists. Because of course they could — the traffic was coming from real homes.
Who Got Hurt
This was not a victimless operation. The DOJ filing mentions specific cases:
- A cryptocurrency exchange customer in New York was defrauded of $1 million in crypto, with the attacker's traffic routed through SocksEscort proxies
- A manufacturing business in Pennsylvania lost $700,000 to fraud
- Current and former U.S. service members with MILITARY STAR cards were defrauded out of $100,000
And according to Europol, the compromised devices were used to facilitate "ransomware, DDoS attacks, and the distribution of child sexual abuse material." That last one is worth pausing on. Someone's home router — maybe in your neighborhood, maybe on your street — was being used to distribute CSAM without the owner having any idea.
I talked to my neighbor Dave about this (he runs a small accounting firm from his home office). His first reaction was: "How would I even know?" His second reaction was: "Where is my router? I think it is behind the bookshelf."
That is the problem in a nutshell.
The Malware: AVrecon
The software powering SocksEscort is called AVrecon, a C-language malware that has been active since at least May 2021. Lumen's Black Lotus Labs first documented it publicly in July 2023, but the operation continued for another three years before this takedown.
Here is what makes AVrecon particularly nasty:
It Targets Approximately 1,200 Device Models
The FBI's advisory lists affected manufacturers: Cisco, D-Link, Hikvision, Mikrotik, Netgear, TP-Link, and Zyxel. That covers... well, basically every router you would find at Best Buy or Amazon. If you live in a house with internet, there is a non-zero chance one of these brands is handling your traffic right now.
It Rewrites Your Router's Firmware
AVrecon does not just sit in memory waiting for a reboot to clear it. It uses the device's own update mechanism to flash a custom firmware image containing the malware. The modified firmware hard-codes AVrecon to execute on every startup. And — this is the truly evil part — it disables the router's update and reflashing capabilities.
Once your router is infected, it is permanently infected. You cannot update your way out. You cannot factory reset your way out through the normal interface. The malware literally locks the door behind itself.
My friend Sandra — a network engineer who once described router security as "the IT equivalent of leaving your front door open in a city you have never visited" — called this the most concerning part. "Persistence through firmware modification is not new, but disabling the update mechanism is next-level hostile. The device is bricked in terms of recovery for most consumers."
The Scale Is Staggering
Black Lotus Labs estimates SocksEscort maintained approximately 20,000 active compromised devices per week, with traffic routed through about 15 command-and-control servers. The total since 2020: 369,000 distinct IP addresses across 163 countries. In February 2026 alone, nearly 8,000 routers were still actively infected, with 2,500 in the United States.
The Takedown
Operation Lightning brought together authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the United States. The results:
- 34 domains seized
- 23 servers taken down across 7 countries
- $3.5 million in cryptocurrency frozen
- The payment platform (which accepted anonymous crypto payments) shut down — estimated to have received over €5 million from proxy service customers
That is the good news. The bad news is that thousands of routers remain infected with firmware-level malware that cannot be easily removed.
How to Check If Your Router Was Compromised
I spent Thursday morning going through the FBI's advisory and Black Lotus Labs' analysis to compile a practical checklist. This is not exhaustive, but it covers the basics:
Step 1: Check Your Router Model
AVrecon primarily targets SOHO (small office/home office) routers. The highest-risk devices are older models from Cisco, D-Link, Hikvision, Mikrotik, Netgear, TP-Link, and Zyxel that have not received firmware updates in 12+ months. If your router is from any of these manufacturers and was purchased before 2024, pay extra attention.
Step 2: Check for Unusual Outbound Traffic
If you are somewhat technical, log into your router's admin panel (usually 192.168.1.1 or 192.168.0.1) and look at the connection log or active connections. Infected routers will show persistent outbound connections to unfamiliar IP addresses on unusual ports. AVrecon communicates with C2 servers over non-standard ports.
If you see sustained outbound connections you cannot explain — especially to Eastern European or Southeast Asian IP ranges — that is a red flag.
Step 3: Check Your Firmware Version
Log into your router's admin panel and check the current firmware version. Then go to the manufacturer's website and compare it to the latest available version. If your router reports a firmware version that does not match any version on the manufacturer's site, that is a serious warning sign — it may be running modified firmware.
If you try to update the firmware and the update function does not work, or if you try to factory reset and it does not respond normally, that is an even bigger red flag.
Step 4: Monitor Your Internet Speed and Usage
A router running as a proxy will consume bandwidth. If your internet has been noticeably slower — especially upload speeds — and your ISP says there are no issues on their end, a compromised router is one possible explanation.
Step 5: The Nuclear Option
If you suspect infection, the most reliable fix is to physically replace the router. I know that sounds extreme, but remember — AVrecon modifies firmware and disables reflashing. A normal factory reset may not clear it.
If you cannot replace the device immediately, some models can be recovered by manually reflashing firmware using a USB or serial connection (TFTP recovery mode). This is beyond most consumers' technical ability, but your local IT shop can help.
Prevention: What to Do Going Forward
Replace Old Routers
Seriously. If your router is more than 4-5 years old and from one of the affected manufacturers, consider replacing it. I know it feels wasteful. Think of it as replacing a lock that is known to be pickable. A new Wi-Fi 6 or 6E router from a reputable brand with automatic updates will run you $80-150 — a fraction of the potential cost if your network is used for fraud.
Enable Automatic Firmware Updates
Most modern routers offer automatic firmware updates. Enable them. Yes, there is a tiny risk of a bad update causing a temporary outage. That risk is infinitely smaller than the risk of running unpatched firmware that criminals have been exploiting since 2021.
Change Default Credentials
If your router's admin password is still "admin" or "password" or the one printed on the sticker on the bottom of the device — change it now. Like, right now. I will wait.
My neighbor Dave came back to me an hour after our conversation. "I found the router. The admin password was 'admin'. I have had this thing for six years." He looked genuinely shaken.
Disable Remote Management
Most home users do not need to access their router from outside their network. If remote management is enabled (it often is by default), turn it off. This closes one of the primary attack vectors AVrecon exploits.
The Uncomfortable Truth
Operation Lightning was a significant success. International cooperation, domains seized, servers taken down, millions in crypto frozen. The DOJ and Europol deserve credit.
But the infrastructure that made SocksEscort possible — millions of unpatched, unmonitored home routers running outdated firmware with default passwords — has not changed. The next SocksEscort is probably already being built. The FBI's advisory explicitly warns that the threat actors' techniques can be replicated by other groups.
We have spent twenty years making smart homes and connecting everything to the internet. We have spent approximately zero years teaching people to secure the device that connects everything to the internet.
Your router is the front door of your digital life. And right now, for most people, it is unlocked, unmonitored, and running software from 2019. Do something about that this weekend. Seriously. Go check.
