Researchers have found what they believe is one of the world’s largest residential proxy networks: the IPIDEA proxy operation. The action targeted a little-known but deeply embedded component of the online ecosystem that has been quietly enabling large-scale cybercrime, espionage, and botnet activity.
According to Google Threat Intelligence Group (GTIG), the IPIDEA proxy network operates as a foundational service used by a wide range of threat actors. Unlike conventional proxy services, residential proxy networks route internet traffic through IP addresses assigned by internet service providers to real households and small businesses.
The disruption campaign focused on three primary areas. First, Google pursued legal action to dismantle domains used to command infected devices and route proxy traffic. Second, GTIG shared detailed technical intelligence on IPIDEA SDKs and associated proxy software with platform providers, law enforcement agencies, and security research firms.
These SDKs, available for Android, Windows, iOS, and WebOS, were found to covertly enroll user devices into the IPIDEA proxy network. Finally, Google strengthened protections for Android users by ensuring Google Play Protect automatically warns users, removes applications containing IPIDEA SDKs, and blocks future installation attempts.
How IPIDEA Proxy Enables Abuse
Residential proxy networks depend on scale. Operators must control millions of residential IP addresses, particularly in regions such as the United States, Canada, and Europe, to maintain a commercially viable service. Devices are recruited through preloaded proxy software, trojanized applications containing embedded SDKs, or software that promises users compensation for “monetizing” unused bandwidth.
Once enrolled, a device becomes an exit node, allowing customers of the proxy service to route traffic through that user’s IP address. While providers often market residential proxies as tools for privacy or free expression, GTIG’s analysis found that misuse is widespread. The IPIDEA proxy infrastructure has been repeatedly linked to major botnets, including the BadBox2.0 botnet, as well as the Aisuru and Kimwolf botnets. In these cases, IPIDEA SDKs facilitated device enrollment, while the proxy software enabled command-and-control operations.
In just seven days in January 2026, GTIG observed more than 550 tracked threat groups using IP addresses associated with IPIDEA proxy exit nodes. These groups included actors linked to China, Iran, Russia, and the DPRK, and their activities ranged from password-spray attacks to unauthorized access of SaaS platforms and on-premises infrastructure.
Risks to Consumers
Beyond enabling cybercrime, residential proxies expose significant risks to end users. Devices unknowingly acting as exit nodes can launch points for hacking attempts, potentially resulting in IP blacklisting or service disruptions. GTIG confirmed that IPIDEA proxy software did more than relay traffic outward; it also routed traffic into exit-node devices, increasing the likelihood of compromise and lateral access to other devices on the same home network.
Despite claims of ethical sourcing, GTIG found many applications failed to disclose their participation in the IPIDEA proxy network. Previous research has also identified uncertified Android Open Source Project devices, such as set-top boxes, shipped with hidden proxy payloads.
A Web of Brands and SDKs
GTIG’s investigation revealed that IPIDEA controls or is directly linked to numerous ostensibly independent proxy and VPN brands, including 360 Proxy, 922 Proxy, ABC Proxy, Cherry Proxy, Luna Proxy, PIA S5 Proxy, PY Proxy, and multiple VPN services. The same operators also manage several SDK brands, Castar SDK, Earn SDK, Hex SDK, and Packet SDK, which are marketed to developers as monetization tools and embedded directly into third-party applications.
Once installed, these SDKs silently convert user devices into proxy exit nodes. GTIG identified a shared two-tier command-and-control architecture across all analyzed SDKs, with Tier One servers distributing configuration data and Tier Two nodes issuing proxy tasks.
As of the investigation, approximately 7,400 Tier Two servers were active worldwide, with counts fluctuating daily based on demand.
Distribution Through Trojanized Software
The IPIDEA ecosystem also relied on trojanized VPN applications, including Galleon VPN and Radish VPN, which provided legitimate VPN functionality while covertly enrolling devices into the proxy network. On Windows systems, GTIG identified 3,075 unique binaries contacting Tier One infrastructure, including malware disguised as OneDrive Sync tools or Windows Update components. On Android, more than 600 applications across multiple distribution channels were found to contain IPIDEA SDK code.
In addition to legal takedowns, Google coordinated with partners such as Spur, Lumen’s Black Lotus Labs, and Cloudflare to disrupt domain resolution and limit IPIDEA’s ability to manage infected devices and market its proxy software. GTIG characterized the residential proxy industry as a rapidly growing gray market that thrives on deception and shared infrastructure.
While the disruption has dealt a substantial blow to the IPIDEA proxy network, GTIG emphasized that broader industry action is still needed. As the BadBox2.0 botnet and related operations demonstrate, residential proxies remain a critical enabler of global cybercrime and espionage, posing ongoing risks to both organizations and everyday consumers.