To stop crims, Google starts dismantling residential proxy network they use to hide
Crims love to make it look like their traffic is actually coming from legit homes and businesses, and they do so by using residential proxy networks. Now, Google says it has "significantly degraded" what it believes is one of the world's largest residential proxy networks.
Google's Threat Intelligence Group (GTIG) describes IPIDEA as a "little-known component of the digital ecosystem" and says that in a seven-day period in January 2026, it observed more than 550 threat groups using IPIDEA exit nodes.
GTIG said that proxy network operators sometimes pay app developers to embed proxy SDKs so that any device that downloads the app is enrolled in the network.
IPIDEA is also known to distribute proxy software and SDKs that enroll devices in its network, sometimes marketed as a way for users to "monetize" spare bandwidth.
The Googlers said that not only do these networks allow bad actors to conceal their malicious traffic, but users who enroll their devices are opening themselves up for further attacks, as their device may be used as a launchpad to compromise their other devices.
Researchers say the disruption reduced IPIDEA's available pool of devices by millions, spanning smartphones, Windows PCs, and other consumer hardware, with residential IPs in the US, Canada, and Europe seen as the most desirable.
They also discovered that IPIDEA operators were directly controlling some of the SDKs that were found in the apps enrolling people's devices into the network.
Residential proxies are not illegal.
Proxy operators frequently pitch them as tools for privacy or freedom of expression, although security researchers say they are overwhelmingly abused by threat actors.
IPIDEA not only benefited cybercriminals seeking anonymity, but in several cases also enrolled the same devices it recruited to its proxy network into large botnets, including BadBox 2.0, Aisuru, and Kimwolf.
GTIG worked with industry partners to disrupt the IPIDEA network, including Spur and Lumen's Black Lotus Labs, to better understand its scale, and Cloudflare to disrupt IPIDEA's domain resolution.
The security experts' work stops short of a claim of a full takedown: GTIG says its actions reduced IPIDEA's available pool of devices by millions and are intended to have downstream effects on affiliated operators and resellers.
"Residential proxy networks have become a pervasive tool for everything from high-end espionage to massive criminal schemes," said John Hultquist, chief analyst at GTIG. "By routing traffic through a person's home internet connection, attackers can hide in plain sight while infiltrating corporate environments.
"By taking down the infrastructure used to run the IPIDEA network, we have effectively pulled the rug out from under a global marketplace that was selling access to millions of hijacked consumer devices." ®
