The Hague, 12 March 2026 — Authorities from eight countries have dismantled a large-scale online service allegedly used by cybercriminals to conceal their identities and conduct illegal activities worldwide. The investigation, coordinated by Eurojust and supported by Europol, targeted a website offering IP proxy services that allowed users to mask their real locations by routing their internet traffic through compromised devices across the globe.
The proxy service allegedly enabled customers to hide their true IP addresses by providing access to IP connections belonging to unsuspecting individuals and organisations. These connections were obtained by infecting internet modems with malware, allowing cybercriminals to reroute their online activity through legitimate networks without the knowledge of the device owners.
Investigators estimate that approximately 369,000 routers and other devices in 163 countries were compromised through the malware. The service reportedly attracted a customer base of around 124,000 users, highlighting the scale and global reach of the operation.
Access to the proxy network required payment through a dedicated platform designed to facilitate anonymous transactions using cryptocurrency. Authorities estimate that the platform processed more than €5 million in payments from users purchasing access to the service.
The international investigation revealed that servers used to distribute the malware were located in France, Germany, Hungary, the Netherlands, Romania, and the United States. To dismantle the infrastructure, Eurojust coordinated judicial cooperation and ensured that European Investigation Orders were prepared in advance and executed simultaneously on the designated action day.
Judicial authorities from France, Austria, the Netherlands, and the United States held several coordination meetings in The Hague to exchange intelligence and develop a joint operational strategy. Additional judicial requests were transmitted through Eurojust to authorities in Bulgaria, Germany, Hungary, and Romania in preparation for the coordinated enforcement action.
Operational support was provided by Europol, which assisted investigators with cryptocurrency tracing, malware and network analysis, and database cross-checks. On the day of the operation, Europol hosted a Virtual Command Post at its headquarters in The Hague to facilitate real-time coordination among participating authorities.
During the coordinated operation carried out on 11 March, law enforcement agencies successfully targeted the infrastructure running the proxy network. Authorities took down 24 servers across seven countries and seized 34 domains linked to the service. The infected modems used to facilitate the proxy network were also disconnected.
In addition, U.S. authorities froze approximately €3.5 million in cryptocurrency connected to the operation.
The enforcement actions involved a wide range of judicial and law enforcement agencies, including authorities from Austria, Bulgaria, France, Germany, Hungary, the Netherlands, Romania, and the United States, demonstrating the growing importance of international cooperation in combating cybercrime.
The operation represents a significant step in disrupting criminal infrastructure that enables cybercriminal activities worldwide and highlights the critical role of coordinated global action against increasingly sophisticated digital threats.
