Google and several industry partners have taken coordinated action to disrupt what is believed to be one of the largest residential proxy networks globally, known as IPIDEA.
The network operates largely out of public view but has become a key enabler for cybercrime, espionage and information operations.
Residential proxy services allow customers to route traffic through IP addresses assigned to households and small businesses. This approach helps malicious actors hide their activity within normal consumer traffic, creating serious challenges for network defenders.
Legal Action and Platform Safeguards
The disruption was led by Google Threat Intelligence Group (GTIG) and combined legal measures with technical enforcement.
In a new analysis published on Wednesday, Google said it pursued court action to take down domains used to command infected devices and manage proxy traffic. At the same time, it shared intelligence on IPIDEA software development kits with platform providers, law enforcement and security researchers to support coordinated action.
On the Android platform, Google expanded existing protections. Google Play Protect now alerts users, removes applications known to include IPIDEA SDKs and blocks future installation attempts on certified devices.
Read more on residential proxy networks: Criminal Proxy Network Infects Thousands of IoT Devices
Google said these efforts significantly degraded IPIDEA operations, reducing the pool of available proxy devices by millions. Because proxy providers often rely on shared infrastructure through reseller agreements, the impact is expected to extend to affiliated services.
Global Abuse and Consumer Risk
IPIDEA has been repeatedly linked to large-scale malicious activity. Its SDKs were used to enroll devices into several botnets, including BadBox 2.0, Aisuru and Kimwolf, while its proxy services were leveraged to control those botnets and obscure follow-on attacks.
During a single seven-day period this month, Google observed more than 550 tracked threat groups using IP addresses associated with IPIDEA exit nodes. These groups included actors linked to China, DPRK, Iran and Russia, and their activity ranged from accessing victim software-as-a-service (SaaS) environments to conducting password spray attacks.
Google’s analysis also found that numerous proxy and VPN brands, marketed as separate businesses, were controlled by the same actors behind IPIDEA. Several SDKs promoted as app monetization tools quietly turned user devices into proxy exit nodes once embedded.
Beyond enabling cyber operations, residential proxies pose direct risks to consumers. Devices can be flagged for abuse, expose home networks to external traffic and introduce new security vulnerabilities.
Google urged greater transparency around claims of ethical sourcing, stronger scrutiny of monetization SDKs by developers and continued industry cooperation to limit the growth of what it described as a rapidly expanding grey market.
