Google’s Threat Intelligence Group (GTIG) has disrupted IPIDEA, one of the largest residential proxy networks in the world, using a federal court order to seize dozens of domains and sever millions of devices from the Chinese firm’s infrastructure. The network was used by over 550 threat groups including nation-state actors from China, Russia, Iran, and North Korea.
Scale of the network
| Metric | Value |
|---|---|
| Enrolled Android devices | 9 million+ |
| Lumen observed daily average | ~8.5 million proxies |
| True estimated population | 10-11 million |
| Trojanized Windows binaries | 3,000+ |
| Malicious Android apps | 600+ |
| Tier 2 proxy servers | ~7,400 |
| Proxy brands controlled | 13 |
| Threat groups observed (7 days) | 550+ |
Lumen’s Black Lotus Labs tracked a daily average of approximately 8.5 million proxies connecting to IPIDEA’s servers before the disruption. Researchers noted the true population was likely closer to 10-11 million, with visibility limitations affecting the count.
Threat actor usage
In a single seven-day observation period in January 2026, GTIG observed more than 550 individual threat groups routing traffic through IPIDEA exit nodes to mask their malicious activities.
Nation-state actors identified
| Country | Activity Type |
|---|---|
| China | Espionage, data theft |
| Russia | Cyber operations |
| Iran | Regional targeting |
| North Korea | Financial crime, espionage |
The residential proxy network provided these actors with legitimate-appearing IP addresses, making attribution and blocking significantly more difficult.
Network of brands
IPIDEA operated through a Chinese company controlling at least 13 ostensibly independent residential proxy and VPN brands:
| Brand Category | Examples |
|---|---|
| Proxy services | 922 Proxy, 360 Proxy, Luna Proxy |
| VPN services | Galleon VPN, Radish VPN |
| SDK providers | Packet SDK, Castar SDK, Hex SDK, Earn SDK |
Free VPN deception
The VPN services were particularly deceptive—the IPIDEA actors controlled domains offering free Virtual Private Network services. While the applications provided functional VPN capabilities, they also secretly joined user devices to the IPIDEA proxy network as exit nodes by incorporating Hex or Packet SDK.
| User expectation | Reality |
|---|---|
| Free VPN protection | Device enrolled as proxy exit node |
| Privacy enhancement | Traffic from others routed through device |
| Anonymous browsing | Participation in criminal infrastructure |
| No strings attached | Bandwidth monetized for attackers |
Users received a working VPN but unknowingly became part of criminal infrastructure.
Device enrollment methods
Android compromise
Over 600 trojanized Android apps embedded proxying SDKs that:
- Ran in the background without user awareness
- Routed third-party traffic through the device
- Reported device telemetry to C2 infrastructure
- Persisted across reboots
SDKs identified:
- Packet SDK
- Castar SDK
- Hex SDK
- Earn SDK
Windows compromise
More than 3,000 trojanized Windows binaries posed as legitimate system utilities:
- OneDriveSync impersonators
- Windows Update impersonators
- Other system tool disguises
These binaries enrolled Windows systems into the proxy network using similar techniques to the Android apps.
Botnet overlap
GTIG discovered that IPIDEA not only provided anonymity services to criminals but also enrolled the same devices into multiple botnets:
| Botnet | Connection |
|---|---|
| BadBox 2.0 | IPIDEA SDKs played “key role” in device enrollment |
| Aisuru | Shared device pool |
| Kimwolf | Overlapping infected devices |
In July 2025, Google filed a lawsuit against BadBox 2.0 operators, noting the botnet comprised more than 10 million uncertified Android devices. The IPIDEA connection reveals how proxy networks and botnets share infrastructure and victims.
Botnet-proxy convergence
| Pattern | Implication |
|---|---|
| Same SDKs enroll for both | Single infection, multiple monetization |
| Shared device pool | Victims exploited repeatedly |
| Overlapping C2 infrastructure | Coordinated criminal ecosystem |
| Common distribution channels | Trojanized apps serve multiple purposes |
Technical infrastructure
Two-tier architecture
IPIDEA used a centralized command-and-control structure:
Tier 1 (Domain-based):
- Enrolled devices contacted domain-based servers
- Sent device diagnostics
- Received configuration instructions
Tier 2 (IP-based):
- ~7,400 servers managing proxy traffic
- Routed requests through enrolled devices
- Shared across all 13 brands
- Scales dynamically based on demand
Despite using multiple brands and domains, researchers identified a shared pool of Tier 2 servers, confirming centralized management.
Demand-based scaling
| Characteristic | Details |
|---|---|
| Tier 2 node count | ~7,400 (fluctuates daily) |
| Scaling model | Demand-based |
| Geographic distribution | Global, including US |
| Brand independence | Illusory—shared infrastructure |
Disruption actions
Legal action
Google obtained a federal court order to:
- Seize C2 domains controlling proxy traffic
- Take down domains marketing proxy services and SDKs
- Disrupt domain resolution
Technical partnerships
| Partner | Contribution |
|---|---|
| Spur | Network mapping and intelligence |
| Lumen Black Lotus Labs | Infrastructure analysis |
| Cloudflare | Domain resolution disruption |
Android protections
Google implemented protections through Google Play Protect:
- Automatic warnings for apps containing IPIDEA code
- Automatic removal of malicious applications on certified devices
- Installation blocking for future attempts
Impact assessment
Initial data indicates the disruption cut IPIDEA’s proxy network by approximately 40%.
| Metric | Pre-disruption | Post-disruption |
|---|---|---|
| Active bots | ~8.5-11 million | ~5 million |
| Network capacity | Full | ~60% |
| C2 domains | Operational | Seized |
| Brand visibility | Hidden | Exposed |
Google noted that around 5 million distinct bots continue communicating with IPIDEA command and control servers—significant degradation but not elimination.
Cascading effects
| Effect | Description |
|---|---|
| Device pool reduction | Millions of devices severed from network |
| C2 disruption | Command infrastructure seized |
| Brand exposure | 13 proxy brands identified and mapped |
| Downstream impact | Reseller agreements affected |
Because proxy operators share device pools through reseller agreements, the disruption may have cascading effects across affiliated entities.
Limitations
| Challenge | Status |
|---|---|
| Arrests | None announced |
| Indictments | None announced |
| Infrastructure rebuild | Likely attempted |
| Operator identification | Not publicly disclosed |
| Remaining capacity | ~5 million bots |
The threat actor may attempt to rebuild infrastructure using new domains and SDKs.
Recommendations
For Android users
- Use certified Android devices — Play Protect is more effective on certified hardware
- Review installed apps — Remove unfamiliar VPN or utility apps
- Check app permissions — Proxy SDKs often request network permissions
- Enable Play Protect — Ensure automatic scanning is active
- Avoid sideloading — Third-party app stores are high-risk
- Be skeptical of free VPNs — Often monetize through proxying
For Windows users
- Verify update sources — Only use Windows Update or Microsoft Store
- Check running processes — Look for suspicious OneDriveSync or update processes
- Use endpoint protection — EDR can detect proxy SDK behavior
- Monitor network traffic — Unusual outbound connections indicate compromise
For organizations
| Control | Purpose |
|---|---|
| Network monitoring | Detect proxy traffic from internal devices |
| Application whitelisting | Prevent unauthorized software |
| Mobile device management | Control app installation on corporate devices |
| Threat intelligence feeds | Block known IPIDEA infrastructure |
| Egress filtering | Identify unusual outbound patterns |
Context
Residential proxy networks occupy a gray area—they have legitimate uses (ad verification, price comparison, web scraping) but are frequently abused by threat actors seeking to hide their origins behind residential IP addresses.
IPIDEA’s scale (9 million devices, 550+ threat groups) demonstrates how these networks can become critical infrastructure for global cybercrime and state-sponsored operations. The overlap with botnets like BadBox 2.0 shows that victims may be exploited multiple times—their devices serving as both proxy exit nodes and botnet zombies.
Proxy network economics
| Factor | IPIDEA model |
|---|---|
| Device acquisition | Free VPNs, trojanized apps |
| Operating cost | Victims pay bandwidth/electricity |
| Revenue | Subscriptions from criminals |
| Risk | Minimal—operations in China |
| Sustainability | Renewable through new apps |
Google’s disruption is significant but likely temporary. The operators will attempt to rebuild, and the fundamental business model—monetizing unwitting users’ bandwidth—remains profitable. The 40% reduction in capacity demonstrates impact but also shows the challenge of fully dismantling distributed criminal infrastructure.
Continued vigilance and partnership between technology companies, researchers, and law enforcement is necessary to impose meaningful costs on these operations.