Google's Threat Intelligence Group (GTIG) has dismantled much of the infrastructure of one of the world's largest residential proxy networks, IPIDEA.
Google Threat Intelligence
GTIG said IPIDEA is a sprawling infrastructure that funnelled millions of consumer devices into a service used by espionage operations and cybercriminals.
The IPIDEA network routed malicious traffic through unwitting users' home internet connections to mask attacks from state-sponsored hackers and criminal groups.
Working with Cloudflare, Spur, and Lumen's Black Lotus Labs to coordinate the disruption, GTIG took legal action this week to take down domains managing the network's infrastructure, reducing the available shared device pool by millions.
The proxy network had become a favourite tool for sophisticated threat actors, GTIG said.
In a single seven-day period in January 2026, Google observed over 550 distinct threat groups using IPIDEA infrastructure to hide their activities, including state-sponsored operations from China, North Korea, Iran, and Russia.
These actors used the network to access victim software-as-a-service environments, on-premises infrastructure, and to conduct password spray attacks.
Who is behind IPIDEA was not revealed by GTIG, but the digital certificates the security researchers collected for their analysis carry Hong Kong business entity names.
The IPIDEA operators controlled at least 13 ostensibly independent proxy and virtual private network (VPN) brands, including IPIDEA, 360 Proxy, ABC Proxy, Luna Proxy, and PIA S5 Proxy.
By embedding software development kits (SDKs) into legitimate-looking applications, the operators were able to grow the network, turning users' devices into exit nodes that routed traffic through their internet connections.
Google identified over 600 Android applications and 3075 Windows programs containing IPIDEA code.
Although GTIG said the operators behind the SDKs market them as ways for developers to monetise applications, and "offer Android, Windows, iOS and [LG] webOS compatibility", the security researchers did not say if Apple operating systems were affected as well.
Many applications masqueraded as utilities, games, or VPN services whilst secretly enrolling devices into the proxy network.
The operators marketed these SDKs to developers as monetisation tools, typically paying on a per-download basis.
Some users knowingly installed software promising to monetise unused bandwidth, but most had no idea their devices had been compromised.
The network operated approximately 7400 tier two command-and-control (C2) servers globally at the time of disruption, to manage the traffic routing.
IPIDEA used a two-tier system to control infected devices, with tier one servers being the initial contact and configuration point for compromised devices starting up.
GTIG said that for Android users on certified devices, Google Play Protect now automatically removes applications containing IPIDEA SDKs and blocks future installations.
Furthermore, users should ensure the anti-malware Play Protect remains active in their device settings.
Windows users, meanwhile, need to scan their systems for trojanised applications, particularly those masquerading as OneDriveSync or Windows Update.
Google recommends purchasing connected devices only from reputable manufacturers and checking official partner lists for Android TV devices.
The company urges extreme caution around any application offering payment for "unused bandwidth" or "sharing your internet" as such monetisation schemes often are abused for illicit proxy networks.
Despite the recent disruption, Google acknowledges the residential proxy industry "appears to be rapidly expanding".
GTIG said the residential proxy market has become a grey market that thrives on deception, hijacking consumer bandwidth to provide cover for global espionage and cybercrime.
_(22).jpg&h=140&w=231&c=1&s=0)
_(20).jpg&h=140&w=231&c=1&s=0)
_(26).jpg&w=100&c=1&s=0)
iTnews Executive Retreat - Security Leaders Edition
_(1).jpg&h=140&w=231&c=1&s=0)
