Google moved to disrupt what it believes is one of the world’s largest residential proxy networks, targeting the IPIDEA ecosystem of proxy and VPN services.
The action aims to cut off infrastructure that has quietly enabled cybercrime, espionage, and fraud by routing malicious traffic through millions of compromised consumer devices.
“IPIDEA has become notorious for its role in facilitating several botnets: its software development kits played a key role in adding devices to the botnets, and its proxy software was then used by bad actors to control them,” said Google researchers.
Inside the IPIDEA Proxy Network
Residential proxy networks like IPIDEA pose a challenge for defenders because they exploit legitimate consumer IP addresses, making malicious activity more difficult to distinguish from normal user traffic.
Unlike traditional data center–based proxies, residential proxies route traffic through home and small business networks, allowing attackers to blend seamlessly into everyday internet activity and evade common detection and blocking techniques.
According to Google’s analysis, IPIDEA’s infrastructure has been repeatedly used to support a wide range of malicious activity, including botnet operations, credential spraying campaigns, espionage efforts, and unauthorized access to both SaaS platforms and on-premises environments.
This made the network a valuable asset for threat actors seeking scale and anonymity.
At the center of IPIDEA’s operation was a system designed to quietly recruit consumer devices into a massive, shared proxy pool.
The network relied heavily on software development kits (SDKs) marketed to application developers as monetization tools.
When embedded into otherwise legitimate applications, these SDKs transformed user devices into proxy exit nodes, often without clear or prominent disclosure to the end user.
Google found that IPIDEA controlled multiple SDK brands — including PacketSDK, EarnSDK, CastarSDK, and HexSDK — as well as a collection of proxy and VPN services that appeared independent on the surface but shared common ownership and backend infrastructure.
By supporting Android, Windows, iOS, and other platforms, the operators were able to scale the network to millions of devices worldwide.
IPIDEA used a centralized two-tier command-and-control architecture in which enrolled devices contacted domain-based servers to send diagnostics and receive configuration instructions.
These responses directed devices to Tier Two servers — IP-based nodes responsible for managing and routing proxy traffic.
Despite the use of multiple brands and domains, researchers identified a shared pool of roughly 7,400 Tier Two servers, confirming that the network was centrally managed rather than fragmented across independent services.
How Residential Proxies Enable Abuse
Residential proxy networks are effective because they route traffic through real residential IP addresses, allowing malicious activity to blend in with legitimate user traffic.
By leveraging these trusted residential IPs, IPIDEA enabled threat actors to obscure their infrastructure and evade many traditional detection and blocking controls.
According to Google’s research, IPIDEA exit nodes were used to support multiple botnets, including BadBox 2.0, Aisuru, and Kimwolf.
This made the network a valuable resource for actors seeking to scale operations while reducing attribution and takedown risk.
The impact extends beyond enterprises to the consumers whose devices were unknowingly enrolled as proxy exit nodes.
These devices unknowingly routed and received third-party traffic, exposing home networks to inbound connections and increasing security and privacy risks for users.
Legal and Platform Action Against IPIDEA
To disrupt IPIDEA’s operations, Google took coordinated legal and technical actions aimed at dismantling the network’s core infrastructure.
This included legal efforts to take down domains used for command-and-control communications and to market IPIDEA’s proxy services and SDKs.
Google enforced platform security policies by removing Android apps containing IPIDEA SDKs and updating Google Play Protect to warn users, remove affected apps, and block future installations.
Google shared intelligence with law enforcement and partners such as Cloudflare, Spur, and Lumen’s Black Lotus Labs to disrupt IPIDEA’s infrastructure and limit its ability to operate and scale.
Reducing Risk From Residential Proxies
Residential proxy networks are designed to bypass traditional, IP-based security controls, making them effective at masking malicious activity.
As a result, organizations need defenses that focus on identity, behavior, and context rather than simple network reputation.
- Enforce strong identity controls such as MFA, adaptive authentication, and strict rate limiting on login and sensitive actions.
- Monitor for behavioral anomalies including unusual login velocity, impossible travel, abnormal API usage, and low-and-slow authentication attempts.
- Integrate and regularly update threat intelligence on residential proxy exit nodes, combined with device fingerprinting and bot management controls.
- Harden application and API abuse protections by scoping permissions, rotating secrets, and throttling high-risk endpoints.
- Bind sessions to device and context signals and invalidate sessions when unexpected changes are detected.
- Centralize logging and correlate authentication and access signals in a SIEM or UEBA platform to surface coordinated proxy-backed activity.
- Test and update incident response plans to ensure teams can quickly detect, contain, and recover from proxy-enabled attacks.
Together, these controls help organizations shift from reactive blocking to proactive, identity- and behavior-driven defenses better suited to counter residential proxy–based attacks.
Rethinking IP-based Trust
The disruption of IPIDEA underscores how residential proxy networks have become foundational infrastructure for modern cybercrime, enabling attackers to operate at scale while blending into legitimate consumer traffic.
While coordinated action by Google and its partners has degraded one major network, the broader residential proxy ecosystem continues to grow and evolve.
For organizations, this reinforces the need to move beyond IP-based trust models and adopt identity- and behavior-driven security strategies that can adapt to proxy-enabled threats.
As organizations move away from IP-based trust to address these threats, zero-trust solutions are increasingly central to enforcing continuous verification and limiting attacker movement across environments.
