From time to time, you might be using an application and come across an action or item that looks new. Usually, you would think to yourself, “Hey! This is cool! This must be a new feature.” Then reality sets in: it’s either a bug or, thanks to modern technology, malware.
Since “vibe coding” has become the latest trend for us nerds, the bad guys are following suit. Their current attack surfaces are open-source software and the “vibe coding” movement. As they say, great power comes with great consequences if you don’t keep up with the latest tech news or know how to check your work.
The Rise of SocksEscort
Let me introduce you to SocksEscort. According to the Department of Justice, since the summer of 2020, SocksEscort has offered to sell access to approximately 369,000 different IP addresses. As of February 2026, the application listed roughly 8,000 infected routers available for customer access—2,500 of which were located in the United States.
You may be thinking, “What’s the big deal if someone else uses my internet connection?” There are many reasons to worry, but the primary one is that attackers use your network to hide their identity while performing malicious acts.
Bypassing the Firewall
Traditionally, firewalls block IP addresses that abuse a connection. For a long time, cybercriminals were limited to using a handful of trusted connections. SocksEscort changed the game by creating a proxy network that runs on consumer hardware, using residential internet connections and IP addresses to launch attacks.
This global operation required an international response. Investigators and prosecutors from several jurisdictions provided assistance, including:
- Austria: Vienna Public Prosecutors Office and Criminal Intelligence Service (C4)
- Bulgaria: District Public Prosecution Office Plovdiv and the Cybercrime Directorate
- France: Public Prosecution Office Paris J3 Anti-Cybercrime unit and Judicial Police (OFAC)
- Germany: Düsseldorf Police Headquarters and ZAC NRW
- Hungary: National Bureau of Investigation Cybercrime Department
- Netherlands: Public Prosecutors Office and Police (Limburg)
- Romania: Directorate for Investigating Organized Crime and Terrorism (DIICOT)
Notice how the group operated from outside the United States, yet the traffic originated from within? This renders “Geo-blocking”—a common defense that blocks IPs based on location—completely ineffective. Now that “the call is coming from inside the house,” firewalls are forced to block legitimate residential IP addresses, disrupting service for innocent users.
Security as an Afterthought
The fundamental problem is that the internet was never built to be secure. The treat level was nonexistent at that time and Its creators didn’t anticipate people using it for “dirty, nasty things,” so security is rarely the first priority. They also wanted to make it easy to join the internet. The “Fathers of the internet” wanted this to work and wanted people to connect to make the internet that we know today.
Today, we know about security however, we see this today in the AI world: we “move fast and break things,” fixing them later. That might work for profit, but it fails the end user.
The “Legitimate” Threat: Bright Data
As noted by Steve Gibson on the Security Now podcast, Smart TVs are facing a similar, albeit more “legitimate,” issue. Bright Data sold an SDK to vendors—with interest from Samsung and WebOS—that allows them to use a customer’s internet connection to scrape and crawl the web.
While we all claim to read the Terms of Service (ToS), most of us just scroll to the bottom and click “Agree.” Looking at the old Terms of Service for Bright Data via the Wayback Machine, the language is intentionally brief:
By using our apps you allow BrightData to occasionally access websites through your device. BrightData will:
- ONLY access public internet web pages
- NOT slow down your device or Internet
- NEVER access personal information, except IP address
Let’s break that down:
- “ONLY access public internet web pages”: They won’t scan your internal network for private servers. Good to know.
- “NOT slow down your internet”: Since most of us are on broadband, it takes a massive amount of traffic to notice a dip. Your ISP says you can do everything at once, so why not run a proxy server for Bright Data?
- “NEVER access personal information, except IP address”: This is a contradiction. An IP address is personal information, as your ISP records exactly which IP is assigned to your device at any given time.
The terms of service essentially boiled down to this: “Since you’d rather not pay for the streaming services you’re watching, we’re going to use your internet connection instead. Don’t worry, we won’t touch your internal network or private files. We’re just going to hitch a ride on your IP address to scrape data and run other background tasks, making it look like it’s all coming from you.”
Go ahead—click “Agree.”