Hackers Use Residential Proxies to Hide Malicious Activity
Tracking and apprehending hackers is becoming more complex, largely due to the proliferation of residential proxy networks. These services allow attackers to route malicious traffic through typical...
Tracking and apprehending hackers is becoming more complex, largely due to the proliferation of residential proxy networks. These services allow attackers to route malicious traffic through typical home internet connections, effectively disguising their activity as originating from a legitimate household device rather than a criminal server.
Security teams are struggling to keep up as this technique grows more widespread. A residential proxy works by sending traffic through real consumer devices like home routers, mobile phones, and IoT gadgets.
Unlike a commercial VPN, which signals to a destination that the connection is hidden, a residential proxy makes traffic appear to come from a genuine home user. That is exactly what makes it so dangerous and difficult to detect.
Researchers at Infoblox examined residential proxies across their cloud customer networks and found the results alarming.
According to a Infoblox report shared with Cyber Security News (CSN), over 65% of their cloud customers were making connections to residential proxy services.
The team observed DNS traffic to proxy-related domains growing from around 300 billion queries per month in early 2025 to over 500 billion per month by April 2026.
The scale of the problem surprised even seasoned analysts. Residential proxy traffic appeared in every industry vertical examined, with at least 40% of customers in each sector affected.
Pharmaceutical, food and beverage, electronics, industrial, and healthcare companies all showed strong proxy usage, raising serious questions about how deeply embedded these services have become inside enterprise environments.
What makes the situation more complicated is that not all residential proxy use is intentional.
Devices are frequently enrolled into proxy networks without the owner’s knowledge, often through free streaming apps, browser extensions, or software kits bundled inside popular applications. The line between voluntary use and silent exploitation is blurry, creating real security blind spots for defenders.
Hackers Abuse Residential Proxy Networks
Threat actors value residential proxies because they give malicious traffic a clean disguise. IP reputation systems are largely built to flag datacenter IPs and known threat sources, but a home IP from a legitimate ISP often passes those checks without friction.
This allows attackers to conduct credential stuffing, account takeovers, ad fraud, and reconnaissance while hiding behind a real household device.
One notable case involves a service called Gress, which converts unused bandwidth into rewards and pays users in cryptocurrency tokens.
Gress was reportedly found pre-installed on Android TV streaming devices, enrolling users into the proxy network without their awareness.
Another service, Honeygain, pays users to share their residential IP as a proxy exit point and also runs a product called CrBuzz that donates a portion of revenue to charity.
Infoblox also observed a striking spike tied to a specific orchestration domain used by proxy networks. On a single day in January 2025, the number of customer networks querying that domain jumped by over 250, an anomaly that proxy space experts could not readily explain.
That spike coincided closely with action taken against IPIDEA, a major proxy service, suggesting displaced traffic quickly redistributed across other providers.
Why Detection Is Difficult and What Organizations Can Do
Detecting residential proxy traffic is hard because it is designed to blend in. Traffic arrives from real home IP addresses tied to legitimate ISPs, so traditional blocklists and geolocation filters offer limited protection.
Content filtering policies are also applied unevenly, since malicious domains may be handled differently depending on each organization’s security setup.
Infoblox recommends that defenders use Protective DNS to block queries to known proxy orchestration domains, which function similarly to command-and-control infrastructure in traditional malware campaigns.
Teams should also audit DNS query logs for traffic to known proxy domains and review browser extensions and consumer apps on corporate devices for embedded proxy SDKs.
Checking IP addresses against external resources that track residential proxy usage can help surface exposure that would otherwise go unnoticed.
Residential proxies are no longer a niche tool reserved for a small group of sophisticated actors. They are now embedded in everyday applications used by millions of people, and organizations that overlook this risk face a significant gap in their defenses.
| Type | Indicator | Description |
|---|---|---|
| Domain | ipidea[.]net | Orchestration domain associated with IPIDEA residential proxy service, flagged by Infoblox |
| Domain | ipinfo[.]io | Domain queried by customer networks in relation to proxy reconnaissance activity |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.