Google’s Threat Intelligence Group (GTIG) dismantles key infrastructure behind one of the world’s largest residential proxy operations – exposing a shadowy ecosystem that turns everyday consumer devices into tools for cybercrime and espionage.
-
Google disrupted IPIDEA, a proxy network secretly hijacking consumer internet connections.
-
Some apps and cheap devices quietly turned users into traffic relays for hackers.
-
Google warns residential proxy abuse is expanding and calls for tighter oversight.
“Residential proxy networks have become a pervasive tool for everything from high-end espionage to massive criminal schemes,” said John Hultquist, GTIG’s Chief Analyst, warning that "by routing traffic through a person’s home internet connection, attackers can hide in plain sight while infiltrating corporate environments."
The operation centers around a network known as IPIDEA, which Google says secretly controls multiple “independent” proxy and VPN brands that market themselves as legitimate services.
In reality, the GTIG research found many of these brands were operated by the same bad actors and used deceptive tactics to quietly collect residential IP addresses from unsuspecting users.
On social media, GTIG said it had “successfully disrupted IPIDEA,” claiming the action reduced the network’s available device pool “by millions,” and that the infrastructure had been used by “over 550 espionage and cybercrime threat groups.”
Hultquist said that “by taking down the infrastructure used to run the IPIDEA network, we have effectively pulled the rug out from under a global marketplace that was selling access to millions of hijacked consumer devices.”
According to Google, many of the apps feeding the IPIDEA network never disclosed that users’ devices were being enrolled as proxy exit nodes, meaning their home internet connections were being rerouted to carry third-party traffic.
That traffic, Google warns, is often used to mask hacking campaigns, fraud, and espionage activity, giving attackers a way to blend into normal household internet traffic.
Google said it observed those 550 individual threat groups using IPIDEA-linked IP addresses during a single seven-day period in January 2026, including activity tied to China, North Korea, Iran, and Russia.
Researchers also linked IPIDEA infrastructure to multiple botnet operations, including the previously disrupted “BadBox2.0” campaign, which targeted cheap off-brand Android devices and consumer hardware.
How devices were quietly turned into proxy nodes
Rather than relying only on standalone proxy apps, IPIDEA operators distributed software development kits (SDKs) designed to be embedded inside otherwise legitimate applications.
Developers were paid per download to include the SDKs, effectively monetizing their apps by renting out users’ bandwidth, often without a user’s “clear consent.”
Once installed, the SDK converted the device into a proxy relay, allowing external actors to route traffic through the victim’s home network.
Google researchers also flagged uncertified Android-based devices – including off-brand streaming boxes shipped with hidden proxy payloads already installed – exposing buyers before their devices were even powered on.
Google and Cloudflare cut off proxy command servers
Google says the proxy network relied on a two-tier command-and-control system that allowed operators to remotely assign proxy tasks and route traffic through infected consumer devices.
The research team said it pursued legal action to seize IPIDEA’s command-and-control domains, disrupting the backend systems used to manage infected devices and route proxy traffic.
GTIG further coordinated with industry partners, including Cloudflare, Spur, and Lumen’s Black Lotus Labs, to block domain resolution and dismantle distribution channels tied to the operation.
The coordinated effort also shut down various marketing websites that were used to promote IPIDEA’s proxy products and SDK tools, thereby limiting the group’s ability to recruit new developers and expand its network.
Additionally, Google Play Protect has been updated to automatically warn users about apps containing IPIDEA code.
For certified Android devices, the system will now remove these malicious applications and block any future attempts to install them, GTIG said.
A growing “gray market” threat
Google warns the residential proxy industry is “rapidly expanding” into what it describes as a "gray market" that "thrives on deception,” where consumer bandwidth is repurposed to provide cover for global cybercrime and espionage operations.
And while some proxy providers claim “ethical sourcing,” Google says such claims are often overstated or unsupported by transparent proof of user consent.
The company is urging regulators, app developers, ISPs, and mobile platforms to tighten oversight and increase transparency around proxy monetization models.
What users should watch out for
Google is advising consumers to be cautious of apps offering cash or rewards in exchange for “sharing unused bandwidth,” one of the most common recruitment methods used by illicit proxy networks.
Users are encouraged to:
- Stick to official app stores
- Review VPN and proxy permissions carefully
- Enable built-in protections such as Google Play Protect
- Avoid uncertified Android devices and low-cost streaming boxes from unknown vendors
In the blog, Google also published a list of technical indicators of compromise (IOCs) to help security teams detect proxy-related activity across enterprise and home networks.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked