The Infrastructure Nobody Owns: (Residential) Proxy Networks and the Case for Collective Visibility
By Jonathan Andersen, CEO and Co-Founder, Webscout (webscout.io)
Friday, April 24th, 2026
Intro
Residential proxy networks have quietly become one of the most consequential and least understood threat enablers on the internet. This post examines how they are built, who is using them, and why countering them requires a level of collaboration the security community has not yet organised around.
It is a call to action for two audiences in particular: researchers and practitioners who are already tracking these networks, and the ISPs and network operators whose infrastructure is essential to understanding how they proliferate. We outline the threat, the open questions, and what we are building to address them.
Context
When Kimwolf emerged in late 2025, it infected over two million devices, the majority of them unofficial Android TV boxes sold openly on mainstream retail platforms, often pre-loaded from the factory with Android Debug Bridge left enabled and proxy SDKs pre-installed (Synthient, 2026; Krebs, 2026). The operators did not need to compromise anything in the conventional sense. The supply chain had already done it for them.
The more revealing finding was not the botnet itself. Infoblox reviewed DNS traffic across their customer base and found that nearly a quarter of enterprise customers had made at least one query to a Kimwolf-related domain since October 2025 (Infoblox, 2026). To be precise: at least one device inside those networks was a residential proxy endpoint that Kimwolf operators were using to scan local networks for vulnerable targets. Spur found proxy endpoints from IPIDEA, the primary service Kimwolf exploited, inside nearly 300 government-owned and operated networks, 318 utility companies, 166 healthcare organisations, and 141 companies in banking and finance (Spur, 2026).
Kimwolf was a symptom. The structural problem is the residential proxy layer itself: a commercially (sometimes criminally) operated, poorly audited network of consumer devices routing arbitrary third-party traffic through genuine ISP-assigned IP space, embedded across critical networks before most defenders were looking for it.
How the Infection Surface Is Built
Residential proxy networks grow through several mechanisms. The most widespread is SDK-based provisioning: proxy companies pay mobile developers to embed their SDK into free or low-cost applications, which ships with a lengthy end-user licence agreement that, buried in legal language, consents to routing third-party traffic through the user's device. Most users click through without reading it (Trend Micro, 2025; Google, 2026; FBI, 2026).
The second is hardware supply chain compromise. As of January 2025, Satori researchers estimated more than one million devices were infected by BADBOX 2.0 alone, covering off-brand Android tablets, connected TV boxes, and digital projectors manufactured in mainland China (HUMAN/Satori, 2025). Disruption efforts by HUMAN Security, Google, Trend Micro, and partners degraded the operation, but Satori noted explicitly that the supply chain enabling the implant remains intact.
The third is active exploitation of the proxy layer as an attack vector. Kimwolf tunnelled through proxy endpoints into local networks, exploiting unauthenticated ADB services on Android TV devices to scan for and infect adjacent hardware. The proxy SDK, in this model, is the initial foothold. Whatever sits behind the user's router becomes reachable.
All three mechanisms are resistant to conventional defences because the resulting traffic carries genuine ISP-assigned IP attribution. Reputation-based controls largely fail. Geolocation-based controls largely fail.
The Criminal Ecosystems They Fuel
“... everything you thought you knew about the security of the internal network behind your Internet router probably is now dangerously out of date.” - Krebs 2026, https://krebsonsecurity.com/2026/01/the-kimwolf-botnet-is-stalking-your-local-network/
Residential proxy networks enhance nearly every stage of the intrusion lifecycle. During reconnaissance, they allow adversaries to scrape targets, enumerate services, and map infrastructure while appearing to originate from ordinary households, rendering rate limits and geo-fencing largely useless. For initial access, they supercharge credential stuffing and password spraying: each attempt arrives from a different residential IP in the target's own region, defeating per-IP lockouts, geolocation anomaly detection, and datacenter reputation checks. As Kimwolf demonstrated, the proxy endpoint itself can serve as a direct foothold into the local network, bypassing the perimeter entirely. For C2 and exfiltration, traffic routed through residential IPs is nearly indistinguishable from legitimate household activity, complicating detection and attribution at every step.
Google's Threat Intelligence Group observed more than 550 distinct threat groups using IPIDEA exit nodes in a single seven-day period in January 2026, including actors linked to China, North Korea, Iran, and Russia, conducting operations ranging from password spraying to access of SaaS environments and on-premises infrastructure (Google, 2026).
The use cases extend beyond conventional cybercrime. In the days following the announcement of the 2025 Danish elections, Webscout observed a significant uptick in covert network traffic targeting Danish political parties (Webscout, 2025). For actors conducting influence operations or seeking to destabilise trust in democratic institutions, these networks provide the anonymity, scale, and residential IP attribution they need to operate undetected.
The financial impact is equally significant. BADBOX 2.0 deployed multiple ad fraud modules across its infected base, including hidden ad rendering and automated click fraud (HUMAN/Satori, 2025). Synthient found that six of the top ten destinations for IPIDEA proxy traffic were linked to ad fraud or credential stuffing (Krebs, 2025). Because the fraudulent traffic originates from real residential IPs and real devices, it is exceptionally difficult for ad verification systems to distinguish from legitimate activity. This represents a direct, ongoing financial drain on every organisation that buys digital advertising.
Synthient, HUMAN Security/Satori, Trend Micro, Google's GTIG, and Lumen's Black Lotus Labs have collectively produced a substantially better picture of these networks than existed eighteen months ago. Google's coordinated action against IPIDEA represents real disruption. But the questions that matter for durable responses remain open, because answering them requires simultaneous visibility that no single organisation has.
Which SDKs are currently brokering residential proxy access, and what additional permissions do they exercise while installed? Which device models are being supply-chained at scale right now, and through which channels? What is the current state of the IPIDEA network? What is the actual relationship between nominally legitimate proxy providers and criminal operators? How are these networks being used by nation-state actors versus criminal groups, and does the same infrastructure serve both?
Answering these questions requires telemetry from ISPs and network operators, C2 tracking from honeypot operators, device forensics from incident responders, legal analysis across multiple jurisdictions, and coordinated intelligence across the public and private sectors. No single research team has that.
A Call to Collaborate
No single organisation sees the full picture. Countering these networks requires combining perspectives across research, operations, and infrastructure.
Webscout is inviting researchers, analysts, threat intelligence professionals, and incident responders who are already tracking residential proxy infrastructure, covert networks, or related botnet activity to join a vetted trust group focused on exactly this problem. The aim is mutual data sharing and intelligence exchange under TLP controls. Participation is vetted individually, and active contribution is expected.
Get in touch at intel@webscout.io from an organisational email (no protonmail/throwaway email etc.). Include how you can contribute and who can vouch for you.
Seeking ISP Partnerships
Sensors intended to observe residential proxy behaviour need to reside in genuine residential or business network address space. Datacenter-hosted infrastructure is routinely excluded from proxy pools, either by design or because abuse complaints generate rapid termination before meaningful observation is possible. To see how these networks actually behave, sensors need to sit where the proxy endpoints live.
We are looking for ISP, business internet, and network operators willing to host a small number of research nodes in their environment. We cover all infrastructure costs, and findings are shared with participating operators under agreed TLP terms. Get in touch at intel@webscout.io, subject line ISP.
Closing
Substantial work has been done to expose and disrupt these networks over the past two years, but there is good reason to believe we are still seeing only a fraction of the full picture. Growing demand for data and the rise of AI-powered automation will continue to fuel the proliferation of residential proxy infrastructure and the criminal actors who rely on it.
The supply chains that build these networks are still intact. The networks are still growing. The threat groups using them are still operating. We are trying to build a small piece of the collaboration needed to track what comes next, and we are looking for the people who want to be part of that.
Recognition is due to those who have trailblazed this research: Brian Krebs, Benjamin Brundage, Fyodor Yarochkin, and the many other researchers and journalists whose work has made these networks visible to the broader community, and continues to do so.
Jonathan Andersen is CEO and Co-Founder of Webscout.io, a Danish network intelligence company. Webscout operates a global sensor network tracking covert infrastructure, and offers a network threat intelligence platform, IP enrichment datasets, and proprietary network visibility solutions for CSIRTs, law enforcement, and critical infrastructure operators across Europe. More at webscout.io.
