Google has taken legal action to dismantle IPIDEA, a massive residential proxy network that hijacked millions of consumer devices to facilitate cybercrime, espionage, and malware distribution.
Google has dismantled IPIDEA, one of the world's largest residential proxy networks, in a coordinated effort to disrupt infrastructure used by cybercriminals and state-sponsored actors to hide their activities behind millions of hijacked consumer devices.
The takedown, announced Wednesday, involved legal action to seize dozens of domains that controlled devices and routed malicious traffic through them. IPIDEA's main website (www.ipidea.io) is no longer accessible.
A Global Marketplace for Cybercrime
IPIDEA marketed itself as the "world's leading provider of IP proxy" with over 6.1 million daily updated IP addresses and 69,000 new addresses added daily. The service had become a pervasive tool for everything from high-end espionage to massive criminal schemes.
"By routing traffic through a person's home internet connection, attackers can hide in plain sight while infiltrating corporate environments," said John Hultquist, Google Threat Intelligence Group's chief analyst. "By taking down the infrastructure used to run the IPIDEA network, we have effectively pulled the rug out from under a global marketplace that was selling access to millions of hijacked consumer devices."
Widespread Abuse by Threat Actors
Google's analysis revealed that IPIDEA's proxy infrastructure was leveraged by more than 550 individual threat groups in January 2026 alone. These groups, originating from China, North Korea, Iran, Russia, and other nations, engaged in activities ranging from accessing victim SaaS environments and on-premises infrastructure to password spray attacks.
The threat actors behind the AISURU/Kimwolf botnet were found abusing IPIDEA and similar residential proxy services to relay malicious commands to susceptible Internet of Things (IoT) devices behind firewalls within local networks, propagating malware.
The Malware Distribution Mechanism
The malware that transforms consumer devices into proxy endpoints is stealthily bundled within apps and games pre-installed on off-brand Android TV streaming boxes. This forces infected devices to relay malicious traffic and participate in distributed denial-of-service (DDoS) attacks.
IPIDEA also released standalone applications marketed directly to consumers, promising "easy cash" for installing the app and allowing it to use their "unused bandwidth." While residential proxy networks offer legitimate bandwidth monetization, they also provide perfect cover for bad actors to mask the origin of malicious activity.
A Network of Brands and SDKs
IPIDEA operates not as a single entity but as a collection of multiple residential proxy brands under common control:
- Ipidea (ipidea[.]io)
- 360 Proxy (360proxy[.]com)
- 922 Proxy (922proxy[.]com)
- ABC Proxy (abcproxy[.]com)
- Cherry Proxy (cherryproxy[.]com)
- Door VPN (doorvpn[.]com)
- Galleon VPN (galleonvpn[.]com)
- IP 2 World (ip2world[.]com)
- Luna Proxy (lunaproxy[.]com)
- PIA S5 Proxy (piaproxy[.]com)
- PY Proxy (pyproxy[.]com)
- Radish VPN (radishvpn[.]com)
- Tab Proxy (tabproxy[.]com)
The same actors control several Software Development Kits (SDKs) for residential proxies, marketed to third-party developers as monetization tools for Android, Windows, iOS, and WebOS applications:
- Castar SDK (castarsdk[.]com)
- Earn SDK (earnsdk[.]io)
- Hex SDK (hexsdk[.]com)
- Packet SDK (packetsdk[.]com)
These SDKs follow a two-tier command-and-control system where infected devices contact Tier One servers to retrieve Tier Two nodes, then periodically poll for payloads to proxy through the device. Google identified approximately 7,400 Tier Two servers.
VPN Services as Proxy Entry Points
The IPIDEA actors also control VPN services engineered to join the proxy network as exit nodes:
- Galleon VPN (galleonvpn[.]com)
- Radish VPN (radishvpn[.]com)
- Aman VPN (defunct)
These services incorporate either the Hex or Packet SDK to enable proxy functionality.
Windows and Android Infections
Google identified 3,075 unique Windows binaries that sent requests to Tier One domains, some masquerading as OneDriveSync and Windows Update. These trojanized applications were not distributed directly by IPIDEA actors.
Additionally, approximately 600 Android applications from various download sources were flagged for containing code connecting to Tier One C2 domains through monetization SDKs.
Google's Response and Consumer Protection
In July 2025, Google filed a lawsuit against 25 unnamed individuals or entities in China for allegedly operating the BADBOX 2.0 botnet and its associated residential proxy infrastructure.
To counter the threat, Google has updated Google Play Protect to automatically warn users about apps containing IPIDEA code. For certified Android devices, the system will automatically remove these malicious applications and block future installation attempts.
A spokesperson for the Chinese company acknowledged "relatively aggressive market expansion strategies" and "promotional activities in inappropriate venues (e.g., hacker forums)," while stating the company "explicitly opposed any form of illegal or abusive conduct."
The Challenge of Enforcement
"While proxy providers may claim ignorance or close these security gaps when notified, enforcement and verification are challenging given intentionally murky ownership structures, reseller agreements, and diversity of applications," Google noted.
The takedown represents a significant blow to one of the most sophisticated residential proxy operations, disrupting a key infrastructure used by cybercriminals and state-sponsored actors to conduct operations while hiding behind millions of compromised consumer devices worldwide.
Comments
Please log in or register to join the discussion