Google Disrupts IPIDEA Residential Proxy Network

Google and other industry partners have moved to disrupt the IPIDEA residential proxy network, which the company says is used by hundreds of individual threat groups for a variety of malicious activities. 

Google’s move involved both technical and legal measures and is designed to reduce the pool of devices available to IPIDEA’s network. Residential proxy networks are large-scale webs of consumer devices with small bits of code running on them that enable actors to route traffic through IP addresses around the world for various purposes. Some of those purposes are benign, but many are not. GTIG researchers observed more than 550 individual threat groups using IPIDEA exit nodes during a one-week period earlier this month. 

IPIDEA's Role in Global Threats

IPIDEA is a large provider of proxy services and GTIG researchers said that the network has been abused by threat actors to conduct a slew of different activities, including password spraying. 

“IPIDEA has become notorious for its role in facilitating several botnets: its software development kits played a key role in adding devices to the botnets, and its proxy software was then used by bad actors to control them. This includes the BadBox2.0 botnet we took legal action against last year, and the Aisuru and Kimwolf botnets more recently. We also observe IPIDEA being leveraged by a vast array of espionage, crime, and information operations threat actors,” Google Threat Intelligence Group (GTIG) wrote in an analysis of the network’s operation. 

“Our research has found significant overlaps between residential proxy network exit nodes, likely because of reseller and partnership agreements, making definitive quantification and attribution challenging. In addition, residential proxies pose a risk to the consumers whose devices are joined to the proxy network as exit nodes. These users knowingly or unknowingly provide their IP address and device as a launchpad for hacking and other unauthorized activities, potentially causing them to be flagged as suspicious or blocked by providers.”

IPIDEA’s proxy software and embedded SDKs are used by bad actors to onboard devices and control botnet activities. GTIG observed moe than 550 distinct threat groups—spanning espionage, cybercrime, and information operations from countries including China, DPRK, Iran, and Russia—leveraging IPIDEA exit nodes to hide their attacks.

The Hidden Risk to Consumers

Residential proxies pose a significant, often hidden, risk to the consumers whose devices become exit nodes in the network. Users, knowingly or unknowingly, provide their IP address and device as a launchpad for malicious activities. While some users install proxy software intentionally, many more do so unwittingly, whether it’s through a hidden download or a trojanized app. 

Also, proxy apps can introduce critical security vulnerabilities. GTIG’s analysis confirmed that IPIDEA's proxy software does not just route traffic through the exit node device; it also sends traffic to the device in order to compromise it. This exposes a user's private devices on the same network to bad actors.

Google’s research discovered that many seemingly independent proxy and VPN brands are controlled by the same actors behind IPIDEA. This network of ostensibly separate services includes:

• 360 Proxy
• 922 Proxy
• ABC Proxy
• Cherry Proxy
• Door VPN
• Galleon VPN
• IP 2 World
• Ipidea
• Luna Proxy
• PIA S5 Proxy
• PY Proxy
• Radish VPN
• Tab Proxy

The network operator’s primary method of building this massive residential pool is through SDKs such as EarnSDK, PacketSDK, CastarSDK, and HexSDK. These SDKs are embedded into mobile and desktop applications (Android, Windows, iOS, WebOS) and secretly enroll the user's device as an exit node, often without explicit disclosure, turning millions of consumer devices into compromised infrastructure for global threat actors.

“Once the SDK is embedded into an application, it will turn the device it is running on into an exit node for the proxy network in addition to providing whatever the primary functionality of the application was. These SDKs are the key to any residential proxy network—the software they get embedded into provides the network operators with the millions of devices they need to maintain a healthy residential proxy network,” GTIG said.

As part of the disruption, Google took down C2 domains used by threat actors and also domains used to market IPIDEA services. 

“While we believe our actions have seriously impacted one of the largest residential proxy providers, this industry appears to be rapidly expanding, and there are significant overlaps across providers. As our investigation shows, the residential proxy market has become a "gray market" that thrives on deception—hijacking consumer bandwidth to provide cover for global espionage and cybercrime,” Google said.