To stop crims, Google starts dismantling residential proxy network they use to hide

Steven

To stop crims, Google starts dismantling residential proxy network they use to hide

Summary

Google’s Threat Intelligence Group (GTIG) has moved to significantly degrade IPIDEA, a large residential proxy network that researchers say was being abused by hundreds of threat groups to hide malicious traffic. Over a seven-day period in January 2026 GTIG observed more than 550 threat groups using IPIDEA exit nodes; its disruption reduced the available pool of devices by millions across smartphones, Windows PCs and other consumer hardware, especially in the US, Canada and Europe.

IPIDEA enrolled devices via proxy SDKs bundled in apps or via standalone proxy software often marketed as a way to “monetise” spare bandwidth. Some of those devices were also conscripted into botnets such as BadBox 2.0, Aisuru and Kimwolf. GTIG worked with industry partners (Spur, Lumen/Black Lotus Labs, Cloudflare) to disrupt domain resolution and other infrastructure, though it stops short of claiming a full takedown.

Key Points

  • GTIG targeted IPIDEA, a major residential proxy network used to mask malicious activity.
  • Researchers recorded 550+ threat groups using IPIDEA exit nodes in a seven-day window.
  • IPIDEA recruited devices via embedded SDKs in apps and proxy software sold to users.
  • Disruption removed millions of devices from the available pool, reducing attacker resources.
  • Devices enrolled by IPIDEA were also used in botnets, linking the proxy network to larger criminal operations.
  • Google coordinated with Spur, Lumen/Black Lotus Labs and Cloudflare to degrade IPIDEA’s infrastructure.
  • Residential proxies remain legal and are often pitched for privacy despite widespread abuse.

Content summary

GTIG describes IPIDEA as a “little-known component of the digital ecosystem” that was being monetised into a marketplace selling anonymised exit nodes. Operators embedded SDKs in apps or distributed proxy software to enrol consumer devices into the network. By disrupting domain resolution and other infrastructure, Google and its partners reduced IPIDEA’s usable device pool by millions, aiming to cause downstream effects on operators and resellers even if the network was not completely dismantled.

Researchers also found that some SDKs were directly controlled by IPIDEA operators, increasing the risk to enrolled users because their devices could be used as footholds for further compromise.

Context and relevance

Residential proxy networks let attackers “hide in plain sight” by routing malicious traffic through legitimate-looking home IP addresses, which complicates detection and attribution. Disrupting a major supplier like IPIDEA constrains multiple criminal campaigns at once and reduces the pool of compromised devices that can be resold to threat actors.

For security teams, ISPs and app platform owners this underscores the dangers of opaque SDKs, the benefits of collaborative threat intelligence, and the legal/ethical grey area around residential proxies that are marketed for benign uses but overwhelmingly abused.

Author’s take

Punchy: Google pulled a hefty lever — not a complete kill, but enough to kneecap a marketplace selling millions of hijacked devices. If you care about fraud, intrusion or platform abuse, this move matters.

Why should I read this?

Quick and informal: criminals were using people’s phones and home PCs as cheap, believable exit points to hide attacks. Google helped kick millions of those zombie nodes off the market — so if you work in security, ops, ISPs or app dev, this directly affects threat exposure and shows how shady SDKs get devices recruited.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/29/google_ipidea_crime_network/