SIM Farm-as-a-Service Network Exposes 87 Control Panels Globally
Key Takeaways An extensive “SIM Farm-as-a-Service” network, powered by the ProxySmart platform, has been uncovered operating globally. The investigation revealed 87 exposed ProxySmart...
Key Takeaways
- An extensive “SIM Farm-as-a-Service” network, powered by the ProxySmart platform, has been uncovered operating globally.
- The investigation revealed 87 exposed ProxySmart control panels across 17 countries, managing at least 94 physical phone-farm locations.
- This infrastructure facilitates large-scale fraud, bot activity, and identity evasion by enabling rapid IP rotation and OS fingerprint spoofing.
- Law enforcement has previously taken action against similar SIM farm operations, highlighting the significant threat these networks pose.
A comprehensive global investigation has exposed a vast, industrial-scale mobile proxy ecosystem built upon a shared control platform known as ProxySmart. This illicit network features 87 publicly exposed control panels spanning 17 countries and at least 94 distinct physical phone-farm locations. Operating on a commercial scale, this infrastructure is designed to facilitate widespread fraud, automated bot activity, and identity obfuscation.
Table Of Content
The discovery originated in February 2026 when infrastructure intelligence firm Infrawatch initiated an investigation into offerings described as “SIM Farm as a Service.” This research successfully identified the tangible backbone supporting these services: physical racks populated with real smartphones and 4G/5G modems, hardwired into various carrier networks.
Infrawatch’s findings pinpointed a single software platform, ProxySmart, developed in Belarus, as the common control plane orchestrating the majority of the identified SIM farms. The firm located 87 exposed instances of the ProxySmart control panel accessible via the public internet, which are linked to at least 24 commercial proxy providers and 35 cellular carriers worldwide.
The geographical footprint of these operations encompasses at least 94 physical farm locations across North America, Europe, and South America. The United States exhibits a significant concentration, with deployments identified in 19 states, ranging from California and Texas to Maine and Delaware.
SIM Farm-as-a-Service Network Capabilities
ProxySmart is marketed as a complete, end-to-end solution for establishing and monetizing physical SIM farm infrastructure. The platform, sold on a per-SIM pricing model, manages crucial operational aspects including device control, automated IP address rotation, customer account provisioning, enforcement of service plans, and anti-bot countermeasures, effectively delivering a fully productized SIM Farm-as-a-Service.
The platform supports both physical smartphones and USB 4G/5G modems. For phone-based farms, devices are enrolled using an unsigned Android APK. A critical feature of ProxySmart is its ability to spoof OS fingerprints, allowing farm operators to imitate TCP/IP stack signatures of macOS, iOS, Windows, or Android. This capability significantly undermines fingerprint-based detection mechanisms employed by anti-fraud systems.
ProxySmart also integrates support for various tunneling protocols, including OpenVPN, SOCKS5, VLESS, and standard HTTP proxies. Notably, VLESS is frequently utilized for censorship circumvention in regions such as Russia, China, and Iran.
Mobile proxies hold particular appeal for threat actors due to their operation behind carrier-grade NAT (CGNAT). This architecture means that a single public IP address can be legitimately shared by numerous users, rendering traditional IP-based blocking largely ineffective. This, combined with the ability to rapidly rotate IP addresses—often by simply toggling airplane mode for three seconds to force a carrier reassignment—allows these farms to cycle through addresses at will, complicating both detection and enforcement efforts.
The carrier access advertised through ProxySmart-backed farms includes major global networks such as AT&T, Verizon, T-Mobile, Vodafone, EE, O2, Deutsche Telekom, Telstra, Rogers, and over 30 other providers across the U.S., Europe, Australia, and Latin America.
Illicit Activities Enabled by SIM Farms
SIM farms facilitate a wide array of illicit activities on an industrial scale, including:
- Bypassing SMS-based One-Time Passwords (OTPs) for account takeover and various forms of fraud.
- Creating fake accounts and engaging in social media manipulation campaigns.
- Performing botting and automated engagement on major online platforms.
- Circumventing geo-restrictions, including bypassing Russian state censorship.
- Executing payment fraud by intercepting financial verification codes.
Several providers leveraging ProxySmart infrastructure were observed directly targeting Russian-speaking audiences, offering access to U.S.-located mobile connectivity and geo-restricted platforms, such as advanced AI models. Meaningful Know Your Customer (KYC) verification was largely absent among the reviewed providers, with some explicitly advertising zero KYC requirements, thereby making global carrier access readily available to anyone with a payment method.
The Infrawatch findings align with a series of significant law enforcement operations targeting SIM farm infrastructure. In September 2025, the U.S. Secret Service dismantled a major telecommunications threat in New York. This operation involved over 300 co-located SIM servers and 100,000 SIM cards, a scale so immense that officials cautioned it could have disrupted the entire cellular network in New York City.
Subsequently, in October 2025, a Europol-supported operation in Latvia targeted a cybercrime-as-a-service network that relied on SIM-box infrastructure. This resulted in seven arrests and the seizure of 1,200 SIM-box devices and 40,000 active SIM cards.
The 17 countries identified in Infrawatch’s investigation include the United States, Canada, the United Kingdom, Germany, Spain, Portugal, Ukraine, Latvia, France, Romania, Brazil, Ireland, the Netherlands, Australia, Italy, Poland, and Georgia. The U.S. exhibits the highest concentration of these deployments, primarily located in major metropolitan areas with robust 4G/5G coverage. In one instance within the U.S., an operator inadvertently exposed EXIF metadata in published farm images, enabling Infrawatch to precisely geolocate the operation to New York.
Infrawatch concludes that this ecosystem significantly lowers the technical and operational barriers to establishing mobile proxy infrastructure, with ProxySmart imposing minimal gatekeeping on who can operate the platform. The combined capabilities of carrier-grade NAT, rapid IP rotation, multi-carrier availability, and OS fingerprint spoofing collectively diminish the effectiveness of IP-centric detection controls, presenting a persistent and scalable challenge for platform integrity, fraud prevention, and telecommunications security teams worldwide.
What You Should Do
- Telecommunications providers should enhance monitoring for unusual traffic patterns and rapid IP rotation originating from their networks.
- Organizations reliant on IP-based fraud detection should implement more sophisticated behavioral analytics and device fingerprinting techniques that go beyond IP addresses.
- Security teams should educate users about the risks of SIM-swap fraud and encourage the use of strong multi-factor authentication (MFA) methods that are not reliant on SMS.
- Law enforcement agencies should continue cross-border collaboration to dismantle these global SIM farm operations and prosecute their operators.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.