Google and its partners launched a major operation this week to shut down what security experts consider one of the world’s largest residential proxy networks: IPIDEA.
The proxy service operates by routing internet traffic through millions of everyday consumer devices scattered across the globe, allowing attackers to hide their activities behind ordinary IP addresses.
This infrastructure has become a critical tool for criminals and nation-state groups seeking to mask their digital footprints while conducting cyberattacks, espionage campaigns, and data theft operations.
The IPIDEA network represents a significant threat because it sells access to a massive pool of compromised residential IP addresses—devices from the United States, Canada, and Europe being particularly valuable.
Attackers use these addresses to make their malicious actions appear to come from normal internet users rather than themselves, making detection and blocking far more difficult for network defenders and security teams.
.webp "Google Disrupted World’s Largest IPIDEA Residential Proxy Network 2")
Google Cloud analysts and researchers noted that IPIDEA operates through software development kits, known as SDKs, which developers unknowingly embed into legitimate-looking applications.
When users download games, utilities, or other apps containing these hidden SDKs, their devices become part of the proxy network without their knowledge or clear consent.
The company uses multiple brand names—including 360 Proxy, Luna Proxy, and others—to disguise the fact that all these services are controlled by the same group of operators.
Infection mechanism
The infection mechanism relies on deception rather than complex malware exploits. IPIDEA SDKs remain dormant inside regular applications until activated, silently converting user devices into proxy exit nodes.
Once embedded, these SDKs establish two-tier command-and-control communication systems: first connecting to control servers to receive instructions, then maintaining persistent connections to proxy distribution servers.
This architecture allows attackers to route their malicious traffic through infected devices automatically.
.webp "Google Disrupted World’s Largest IPIDEA Residential Proxy Network 4")
Google’s investigation revealed that during just one seven-day period in January 2026, over 550 tracked threat groups used IPIDEA exit nodes for various attacks, including access to business systems and password spray operations targeting corporate infrastructure.
Google’s enforcement actions targeted the control infrastructure, legal domains used for marketing, and worked with platform partners including Cloudflare.
The company integrated protections into Google Play services, ensuring that Android devices automatically detect and remove applications containing IPIDEA code.
These coordinated efforts have significantly reduced the network’s operational capacity by eliminating millions of available device nodes, though security experts warn that similar proxy networks continue expanding globally.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
