Google Disrupts World’s Largest Residential Proxy Botnet

Source: Google Threat Intelligence

Google Threat Intelligence Group (GTIG) and partners have taken action to disrupt what they believe is one of the largest residential proxy networks in the world – the IPIDEA proxy network. This massive botnet infrastructure was leveraged by over 550 threat groups from China, North Korea, Iran, and Russia in just a single week.

What Is IPIDEA?

Residential proxy networks sell the ability to route traffic through IP addresses owned by internet service providers used for residential customers. By routing traffic through millions of consumer devices worldwide, attackers can mask their malicious activity by hijacking legitimate IP addresses – making detection and blocking extremely difficult for network defenders.

Scale of the Operation

The IPIDEA network controlled multiple ostensibly independent proxy and VPN brands including:

• 360 Proxy, 922 Proxy, ABC Proxy
• Luna Proxy, PIA S5 Proxy, PY Proxy
• Door VPN, Galleon VPN, Radish VPN
• And several others

These operators marketed SDKs to developers as ways to “monetize” their applications – once embedded, the SDK secretly enrolled devices into the proxy network as exit nodes.

Criminal Activity Enabled

GTIG observed the network being used for:

• Access to victim SaaS environments
• Password spray attacks
• Espionage operations by nation-state actors
• Criminal and information operations

The network was also linked to the BadBox2.0 botnet, Aisuru botnet, and Kimwolf botnet.

Disruption Actions

Google’s disruption included:

• Legal action to take down command-and-control domains
• Intelligence sharing with platform providers and law enforcement
• Google Play Protect now automatically removes apps with IPIDEA SDKs

Why It Matters

This disruption significantly degraded IPIDEA’s proxy network, reducing available devices by millions. For defenders, the lesson is clear: residential proxies are overwhelmingly misused by bad actors, regardless of operators’ claims about privacy benefits. Organizations should monitor for suspicious traffic patterns from residential IP ranges and implement robust network detection capabilities.