Google on Wednesday announced that it worked together with other partners to disrupt IPIDEA, which it described as one of the largest residential proxy networks in the world.
To that end, the company said it took legal action to take down dozens of domains used to control devices and proxy traffic through them. As of writing, IPIDEA's website ("www.ipidea.io") is no longer accessible. It advertised itself as the "world's leading provider of IP proxy" with more than 6.1 million daily updated IP addresses and 69,000 daily new IP addresses.
"Residential proxy networks have become a pervasive tool for everything from high-end espionage to massive criminal schemes," John Hultquist, Google Threat Intelligence Group's (GTIG) chief analyst, said in a statement shared with The Hacker News.
"By routing traffic through a person's home internet connection, attackers can hide in plain sight while infiltrating corporate environments. By taking down the infrastructure used to run the IPIDEA network, we have effectively pulled the rug out from under a global marketplace that was selling access to millions of hijacked consumer devices."
Google said that, as recently as this month, IPIDEA's proxy infrastructure has been leveraged by more than 550 individual threat groups with varying motivations, such as cybercrime, espionage, advanced persistent threat (APTs), information operations, from across the world, including China, North Korea, Iran, and Russia. These activities ranged from access to victim SaaS environments, on-premises infrastructure, and password spray attacks.
"Residential proxies have been used by a whole host of threats, but they're showing up frequently in incidents involving Russian and Chinese cyber espionage," Hultquist told The Hacker News. "They've been used by APT28 and Sandworm as well as Volt Typhoon."
In an analysis published earlier this month, Synthient revealed that the threat actors behind the AISURU/Kimwolf botnet were abusing security flaws in residential proxy services like IPIDEA to relay malicious commands to susceptible Internet of Things (IoT) devices behind a firewall within local networks to propagate the malware.
The malware that turns consumer devices into proxy endpoints is stealthily bundled within apps and games pre-installed on off-brand Android TV streaming boxes. This forces the infected device to relay malicious traffic and participate in distributed denial-of-service (DDoS) attacks.
IPIDEA is also said to have released standalone apps, marketed directly to people looking to make "easy cash" by blatantly advertising they'll pay consumers to install the app and allow it to use their "unused bandwidth."
While residential proxy networks offer the ability to route traffic through IP addresses owned by internet service providers (ISPs), this can also provide the perfect cover for bad actors looking to mask the origin of their malicious activity.
"To do this, residential proxy network operators need code running on consumer devices to enroll them into the network as exit nodes," GTIG explained. "These devices are either pre-loaded with proxy software or are joined to the proxy network when users unknowingly download trojanized applications with embedded proxy code. Some users may knowingly install this software on their devices, lured by the promise of 'monetizing' their spare bandwidth."
The tech giant's threat intelligence team said IPIDEA has become notorious for its role in facilitating a number of botnets, including the China-based BADBOX 2.0. In July 2025, Google filed a lawsuit against 25 unnamed individuals or entities in China for allegedly operating the botnet and its associated residential proxy infrastructure.
It also pointed out that the proxy applications from IPIDEA not only routed traffic through the exit node device, but also sent traffic to the device with the goal of compromising it, posing severe risks to consumers whose devices may have knowingly or unknowingly joined the proxy network.
The proxy network that powers IPIDEA is not a monolithic entity. Rather, it's a collection of multiple well-known residential proxy brands under its control -
- Ipidea (ipidea[.]io)
- 360 Proxy (360proxy[.]com)
- 922 Proxy (922proxy[.]com)
- ABC Proxy (abcproxy[.]com)
- Cherry Proxy (cherryproxy[.]com)
- Door VPN (doorvpn[.]com)
- Galleon VPN (galleonvpn[.]com)
- IP 2 World (ip2world[.]com)
- Luna Proxy (lunaproxy[.]com)
- PIA S5 Proxy (piaproxy[.]com)
- PY Proxy (pyproxy[.]com)
- Radish VPN (radishvpn[.]com)
- Tab Proxy (tabproxy[.]com)
"The same actors that control these brands also control several domains related to Software Development Kits (SDKs) for residential proxies," Google said. "These SDKs are not meant to be installed or executed as standalone applications, rather they are meant to be embedded into existing applications."
These SDKs are marketed to third-party developers as a way to monetize their Android, Windows, iOS, and WebOS applications. Developers who integrate the SDKs into their apps are paid by IPIDEA on a per-download basis. This, in turn, transforms a device that installs these apps into a node for the proxy network, while simultaneously providing the advertised functionality. The names of the SDKs controlled by the IPIDEA actors are listed below -
- Castar SDK (castarsdk[.]com)
- Earn SDK (earnsdk[.]io)
- Hex SDK (hexsdk[.]com)
- Packet SDK (packetsdk[.]com)
The SDKs have significant overlaps in their command-and-control (C2) infrastructure and code structure. They follow a two-tier C2 system where the infected devices contact a Tier One server to retrieve a set of Tier Two nodes to connect to. The application then initiates communication with the Tier Two server to periodically poll for payloads to proxy through the device. Google's analysis found that there are about 7,400 Tier Two servers.
Besides proxy services, the IPIDEA actors have been found to control domains that offer free Virtual Private Network (VPN) tools, which are also engineered to join the proxy network as an exit node incorporating either the Hex or Packet SDK. The names of the VPN services are as follows -
- Galleon VPN (galleonvpn[.]com)
- Radish VPN (radishvpn[.]com
- Aman VPN (defunct)
In addition, GTIG said it identified 3,075 unique Windows binaries that have sent a request to at least one Tier One domain, some of which masqueraded as OneDriveSync and Windows Update. These trojanized Windows applications were not distributed by the IPIDEA actors directly. As many as 600 Android applications (spanning utilities, games, and content) from multiple download sources have been flagged for containing code connecting to Tier One C2 domains by using the monetization SDKs to enable the proxy behavior.
In a statement shared with The Wall Street Journal, a spokesperson for the Chinese company said it had engaged in "relatively aggressive market expansion strategies" and "conducted promotional activities in inappropriate venues (e.g., hacker forums)," and it has "explicitly opposed any form of illegal or abusive conduct."
To counter the threat, Google said it has updated Google Play Protect to automatically warn users about apps containing IPIDEA code. For certified Android devices, the system will automatically remove these malicious applications and block any future attempts to install them.
"If a device isn't Play Protect certified, Google doesn't have a record of security and compatibility test results," Hultquist said. "Play Protect certified Android devices undergo extensive testing to ensure quality and user safety. To help confirm whether or not a device is built with Android TV OS and Play Protect certified, our Android TV website provides the most up-to-date list of partners."
That said, IPIDEA is just one of the many proxy services the operators of AISURU/Kimwolf have abused to scale up and monetize their footprint. Among the SDKs used to turn infected systems into internet traffic relays is another toolkit called ByteConnect, which is distributed by Plainproxies. ByteConnect is marketed as a way to "turn your apps into passive income" and as a tool to "help developers seamlessly monetize both apps and IoT devices." A third provider involved in the sale of Kimwolf proxies is Maskify.
"Our focus on the IPIDEA network right now is because of their connections to a host of malicious activity, including the BADBOX 2.0 botnet we took action against last year," Hultquist said. "Moving forward, we will continue to take action against organizations and technologies that are enabling malicious behavior targeting our users."
"While proxy providers may claim ignorance or close these security gaps when notified, enforcement and verification are challenging given intentionally murky ownership structures, reseller agreements, and diversity of applications," Google said.
Lumen Technologies, which assisted GTIG in verifying IPIDEA's infrastructure and scale, told The Hacker News that Google's actions are effectively slowing criminals' ability to exploit these services for malicious purposes by removing apps that distribute malware, but noted that sustained pressure on such residential proxy services developed through malware is necessary to combat the threat.
"Internet service providers can contribute by blocking traffic to infrastructure supporting malware-driven residential proxy services," Chris Formosa, senior lead information security engineer for Black Lotus Labs at Lumen Technologies, said. "A coordinated, ongoing effort is required to eliminate these threats."
"It is too early to assess the full impact. Today, approximately 5 million distinct bots are still connecting to IPIDEA's command and control servers, indicating continued operation at scale. However, we have observed a 40% decrease in total proxies today compared to previous weeks, and expect further reductions as additional proxies are lost."
(The story was updated after publication to include additional insights from GTIG and Lumen Technologies Black Lotus Labs.)
