March 17th – This Week’s Top Cybersecurity and Dark Web Stories

Operation Lightning: Global Takedown of Massive ‘SocksEscort’ Botnet

Law enforcement agencies from five countries have successfully taken down ‘SocksEscort’, a malicious proxy service that compromised over 369,000 devices worldwide. The coordinated strike, dubbed Operation Lightning, resulted in the seizure of 34 domains and 23 servers, effectively disconnecting a massive botnet used to facilitate ransomware and DDoS attacks.

The investigation, spearheaded by Europol’s Joint Cyberaction Task Force (J-CAT) since June 2025, revealed a sophisticated network of infected residential routers across 163 countries. Criminals used these “proxies” to mask their identities while engaging in illicit activities, including the distribution of child sexual abuse material (CSAM).

“This operation highlights the critical importance of international cooperation,” a Europol spokesperson stated. Alongside the physical takedowns, U.S. authorities froze approximately USD 3.5 million in cryptocurrency linked to the service.

The botnet grew by exploiting vulnerabilities in specific residential modem brands. Unsuspecting owners had their IP addresses rented out to cybercriminals who paid over EUR 5 million via anonymous payment platforms to use the infected hardware.

To prevent such exploits, cybersecurity experts urge all users to regularly update their device firmware and use strong, unique administrative passwords.

Key Achievements of Operation Lightning:
369,000+ routers and IoT devices identified as compromised.
34 malicious domains and 23 servers seized.
$3.5 million in cryptocurrency frozen.
Coordinated action across 7 countries involving Europol and Eurojust.

Stryker Attacked by Iranian-Linked Wiper Attack

Medical technology leader Stryker is reeling from a massive cyberattack that has reportedly wiped data across more than 200,000 systems in 79 countries. The breach has forced thousands of employees home and triggered building emergencies at its U.S. headquarters.

The Iranian-linked hacktivist group Handala claimed responsibility for the “wiper” attack.

Security researchers at Palo Alto Networks identify Handala as a persona for Void Manticore, an actor affiliated with Iran’s Ministry of Intelligence and Security.

Unlike traditional malware, the attackers allegedly gained control of Microsoft Intune, a cloud-based management tool, to issue a “remote wipe” command. This method effectively erased data from servers, PCs, and even personal mobile devices connected to the corporate network.

Handala stated the attack was retaliation for a Feb. 28 missile strike in Iran that killed 175 people, an incident the U.S. military is reportedly investigating. The group labeled Stryker a “Zionist-rooted” target, likely due to its previous acquisitions in Israel.

The immediate impact is severe: over 5,000 workers in Ireland were sent home today, and U.S. hospitals are already reporting difficulties ordering surgical supplies. Medical centers have begun disconnecting from Stryker’s LifeNet systems to prevent further spread, threatening critical emergency care communications.

Telus Digital Confirms Major Data Breach Following ShinyHunters Claims

Telus Digital, the global outsourcing arm of Canadian telecom giant Telus, has officially confirmed a cybersecurity incident. The confirmation follows claims by the notorious threat group ShinyHunters that they exfiltrated nearly one petabyte of sensitive corporate and customer data.

The company is currently investigating the scope of the unauthorized access. While Telus Digital remains fully operational, they have engaged forensics experts and law enforcement to manage the situation. Impacted customers are being notified as the investigation progresses.

The threat actors claim the breach originated from stolen Google Cloud Platform credentials. They reportedly used these to pivot through Telus systems, allegedly stealing:

• Customer support records and voice recordings.
• Internal Salesforce data and source code.
• FBI background checks and financial information.

ShinyHunters reportedly demanded a $65 million ransom in February, which Telus declined to pay.