Google’s Threat Intelligence Group (GTIG), working with multiple industry partners, has disrupted IPIDEA, one of the world’s largest residential proxy services. The operation disabled key command-and-control domains, disrupted traffic routing through infected devices, and exposed the malicious SDKs used to silently conscript user devices into a vast proxy botnet.
Residential proxy networks: from legitimate tool to cybercrime enabler
Residential proxy services are marketed as a legitimate technology: companies rent IP addresses of real home and small business users to test websites, bypass regional restrictions, or verify online advertising. Because this traffic appears to come from ordinary households, it is often trusted more than data center traffic.
This same property makes residential proxies extremely attractive to attackers. When malicious activity originates from a regular-looking home IP, defenders have a much harder time distinguishing it from legitimate user traffic without causing collateral damage by blocking entire networks.
In the case of IPIDEA, most device owners had no idea their phones, PCs, or routers had been turned into proxy nodes. Through these hijacked IPs, threat actors conducted account takeover attempts, created fake identities, and exfiltrated passwords and sensitive data, while corporate security teams saw only “normal” user IPs in their logs.
IPIDEA as a marketplace for compromised residential devices
IPIDEA advertised itself as a “leading global provider of residential proxies,” claiming access to over 60 million residential IPs, more than 6 million active IPs per day, and roughly 69,000 new IPs daily. According to Google, in practice this was a commercial marketplace for access to compromised home and office devices, turned into proxy endpoints without informed consent.
Within just one week of analysis, researchers linked IPIDEA’s infrastructure to activity from more than 550 distinct threat groups, including actors operating from China, Iran, Russia, and North Korea. The service was used for large-scale password spraying attacks against corporate accounts, hiding botnet infrastructure, and enabling unauthorized access to SaaS platforms and organizations worldwide.
Two-tier proxy architecture and a network of thousands of servers
GTIG’s report describes IPIDEA’s two-layer command architecture. The first layer managed configuration, synchronization, and the proxy node inventory. The second layer consisted of roughly 7,400 servers that distributed tasks and relayed traffic through infected user devices, effectively forming a global proxy mesh.
On top of IPIDEA itself, the operators controlled at least 19 additional proxy brands that appeared to be independent, legitimate services. In reality, these brands monetized access to devices infected with the BadBox 2.0 malware family and fed into the same centralized infrastructure. All were operated by a still-unidentified group using complex ownership structures and reseller chains.
Malicious Android and Windows SDKs powering the proxy botnet
Google’s investigation found that IPIDEA expanded its residential proxy network via at least 600 malicious Android applications embedding proxy SDKs such as Packet SDK, Castar SDK, Hex SDK, and Earn SDK. Many of these apps posed as VPNs or “performance-boosting” utilities but secretly enrolled devices into the proxy network without clear disclosure.
On Windows, the operators deployed more than 3,000 malicious binaries, often masquerading as legitimate processes like OneDriveSync or Windows Update. This allowed the malware to blend into normal system activity and evade detection by traditional antivirus and endpoint monitoring tools for extended periods.
Some apps explicitly encouraged users to “monetize unused bandwidth”, offering small payouts in exchange for installing the software. Others, such as free VPNs including Galleon VPN, Radish VPN, and Aman VPN, delivered real VPN functionality while silently turning devices into exit nodes for IPIDEA’s proxy network.
From brute-force attacks to DDoS: how IPIDEA was abused
Previous research by Cisco Talos linked IPIDEA to extensive brute-force attacks against VPN and SSH services, highlighting how residential proxy networks can be weaponized to mask distributed authentication attacks. IPIDEA’s infrastructure also appeared in the operations of major DDoS botnets such as Aisuru and Kimwolf.
According to Synthient, botnet operators exploited weaknesses in residential proxy services to route command-and-control traffic into IoT devices behind firewalls on local networks, helping them spread malware and maintain persistence. For defenders, this model is particularly difficult: malicious requests originate from thousands of seemingly “clean” residential IPs worldwide, and mass blocking risks impacting legitimate users and customers.
Google’s response and evolving defenses against proxy abuse
As part of the takedown, GTIG and its partners blocked key management and routing domains associated with IPIDEA, substantially degrading the reliability of its residential proxy network. On Android, Google Play Protect now automatically detects and blocks applications using the identified IPIDEA-linked SDKs on updated, certified devices.
Google notes that oversight of such services is complicated by obscured ownership structures, reseller layers, and many loosely branded apps that appear unrelated on the surface. Representatives of the China-based company behind IPIDEA told The Wall Street Journal they had used “aggressive expansion strategies” and had promoted their services on hacker forums, while simultaneously claiming to “categorically oppose illegal activity.”
The IPIDEA case illustrates how easily nominally legitimate technologies such as residential proxies can become the backbone of cybercriminal ecosystems. Users should treat “free VPNs” and bandwidth-monetization apps with caution, install software only from trusted sources, and regularly review installed applications and unusual network activity. Organizations should monitor outbound traffic, deploy anomaly-detection tools, and explicitly account for residential proxy networks in their threat models. Strengthening visibility and control over devices and applications remains one of the most effective ways to prevent them from being silently turned into nodes in global anonymizing and attack infrastructures.
