Europol Freezes $3.5M in Crypto as Global Crackdown Dismantles Massive Proxy Botnet

Key Takeaways:

• Europol and other law enforcement agencies tore up the SocksEscort proxy network that had spread to over 369,000 routers and IoT devices across the world.
• Authorities confiscated 34 domains, 23 servers and also froze $3.5 million worth of cryptocurrency associated with the operation.
• The malicious service sold proxy access paid with crypto, generating more than €5 million from customers.

European and U.S. authorities have taken down a large cybercrime infrastructure that relied on infected home routers and IoT devices. This coordinated bust hunted down a proxy service much relied upon by a large number of crooks to conceal their footprints during the pulling off of Internet attacks.

It demonstrates the increasing connection between crypto payments and decentralized technology and international cybersecurity investigations.

International Operation Targets SocksEscort Network

Law enforcement agencies across Europe and the United States implemented a coordinated campaign named Operation Lightning March 11th 2026. This campaign focuses on dismantling the proxy platform called SocksEscort. According to the investigators, it exploited vulnerabilities in household routers.

Competent authorities identified that this network has accessed more than 369,000 devices in 163 countries. These infected routers and IoT devices have been utilized to provide anonymous proxy connections for paying customers.

During the action, investigators seized 34 domain names and 23 servers located in seven countries. At the same time, U.S. authorities froze approximately $3.5 million in cryptocurrency connected to the service.

Officials also disconnected infected modems from the network, effectively shutting down access to the proxy system used by criminal customers.

Read More: Coinbase Launches Regulated Crypto Futures in 26 European Markets With 10x Leverage

Malware-Infected Routers Powered Global Botnet

The investigation was initiated in June 2025 by the Joint Cyberaction Task Force (J-CAT) of Europol. Analysts discovered a massive botnet constructed of compromised devices, the majority of them being only home routers.

Vulnerabilities Allowed Large-Scale Exploitation

The bad actors found a vulnerability of a particular modem brand, which was learnt by the investigators. Malware installed on those devices quietly turned them into nodes of a global proxy network.

Once infected, the routers allowed criminals to route internet traffic through unsuspecting users’ IP addresses. Device owners typically had no idea their internet connection was being used for illegal activity.

The proxy network enabled a range of crimes, including ransomware operations, distributed denial-of-service attacks, and the spread of illegal content.

Customers paid for licenses to access the proxy infrastructure. Payments were made through a platform that allowed anonymous transactions using cryptocurrency.

The authorities indicate that the payment system based on that proxy also collected more than €5 million crypto, which had been sent by the users.

Read More: MiCA Reality: EU Countries Set to Lead CASP Licensing in the New Era

Europol Coordinates Intelligence and Crypto Tracking

The lead player was Europol who led the investigation. They assisted in matching partnering agencies in terms of intel sharing, malware inspection, traffic sniffing, and crypto tracing. During the day of action, the action was supported by a Virtual Command Post on the HQ of EuropaL in Hague to ensure the smooth flow of chatter between the involved countries was maintained.

Participating authorities included law enforcement bodies from Austria, France, the Netherlands, Germany, Hungary, Romania, and the United States, among others. U.S. agencies involved in the case included the Department of Justice, the FBI, and IRS Criminal Investigation.

The post Europol Freezes $3.5M in Crypto as Global Crackdown Dismantles Massive Proxy Botnet appeared first on CryptoNinjas.