By: Larissa Knapp, EVP and Chief Content Protection Officer, Motion Picture Association, and Noopur Davis, Executive Vice President, Chief Information Security and Product Privacy Officer, Comcast Corporation
Imagine downloading a free mobile game, installing an app to access pirated content, or a browser extension that promises rewards for sharing your internet. Behind the scenes, your IP address may have just entered an illegal marketplace where it is sold to the highest bidder. These buyers use your IP address as their conduit to engage in a wide range of cybercrimes which could include financial fraud, distribution of child sex abuse materials, launching cyber attacks, and committing espionage. These criminals could use your IP address as their conduit to advance their illegal acts.
Today’s cybercriminals create this infrastructure by weaponizing innocuous seeming devices in homes and small businesses: connected TV devices (typically used for streaming), smart TVs, projectors, tablets, and routers. What may appear as innocent consumer electronics has been covertly transformed into a distributed proxy network that conducts cyber crime on others behalf leaving you responsible.
What Is a Residential Proxy?
A residential proxy is software that secretly turns your personal device – a smartphone, connected TV device, computer, or IoT appliance – into a relay point for other people’s internet traffic. Once compromised, your IP address can be used by criminals to conduct online activity that appears to originate from your home. The true origin of the traffic remains hidden. Worse yet, since your home (or business) appears to be the originating point of this internet activity, proving this nefarious activity did not come from you is difficult, sometimes impossible.
Devices become part of proxy networks through several mechanisms including:
- Deceptive opt-in programs: Users are enticed with offers like “earn money by sharing your internet” or “free streaming content.”
- Malware infections: Devices, especially unprotected or unpatched ones, are silently compromised.
- Bundled permissions in apps: Free mobile games or utilities may include hidden clauses in their terms that enable proxy activity without the user’s informed consent.
Because these proxies use legitimate residential (or business) IP addresses, they are often indistinguishable from normal user behavior. This makes it incredibly difficult to detect, block, or attribute this malicious activity.
Recent Example – The Scale and Scope of BADBOX 2.0
According to IC3’s Public Service Announcement 250605 (June 5, 2025), the BADBOX 2.0 botnet compromised over 1 million Android-based consumer devices, converting them into proxy nodes used by cybercriminals. These devices – often sold via unbranded marketplaces or bundled with unofficial setup apps – are now core infrastructure in illicit networks that facilitate proxy-enabled anonymity.
Industry partners including HUMAN Security, Trend Micro, and the Shadowserver Foundation have collaborated with the FBI and Google to disrupt BADBOX. Google has since sued 25 Chinese entities in New York federal court, alleging the botnet infected over 10 million uncertified Android devices and monetized access via residential proxies and ad fraud schemes.
Why Residential Proxies Are Ideal for Criminal Actors
Residential proxies are now a standard component in the cybercriminal toolkit. They provide anonymity, evasion, and scalability—enabling malicious actors to appear as ordinary users. Here are some of the most concerning applications:
- Credential Stuffing & Brute Force Attacks: Attackers rotate IP addresses to evade rate limits and lockout mechanisms.
- Phishing & Identity Theft: Proxies host malicious infrastructure and allow attackers to access stolen accounts without triggering geolocation alarms.
- Ad Fraud: Fake clicks and impressions are generated by appearing as genuine residential users, costing advertisers billions.
- Spam & Fake Account Creation: Used to automate account generation and bypass anti-spam filters.
- Data Exfiltration: Stolen data is routed through these proxies to evade detection.
- Command-and-Control (C2) Concealment: Malware communicates with C2 servers via proxies to obscure its origin.
- Web Scraping & Competitive Espionage: Data is harvested at scale from both public and private websites, often in violation of terms of service.
- Bypassing Geo-Restrictions: Proxies are used to circumvent regional blocks or deliver localized phishing campaigns.
- Targeted Surveillance & Stalking: Abusers mask their identities to harass or monitor victims.
- Illicit Marketplaces: Criminal forums and trafficking platforms hide behind these proxies to evade law enforcement.
These are not fringe use cases. They represent a growing, active threat landscape with broad implications for both individuals and organizations. Cybercriminals increasingly turn to residential IPs because of their trusted status in fraud systems. A June 2025 WIRED article describes how criminals are moving away from bulletproof hosting to purpose-built VPNs and residential proxy services, blending malicious traffic with benign user behavior in ways nearly impossible to distinguish. Imperva’s 2025 Bot Report found 21% of bot attacks originate via residential proxies, making detection harder and attribution murkier.
Meanwhile, academic studies like “Shining Light into the Tunnel” show that Residential IP proxy networks operate at scale—millions of exit nodes spread across cities and ISPs—and include unauthorized deployments within corporate environments.
< End of Part 1 >
In Part 2, we will take a closer look at the criminal economics of proxy infrastructure and why the issue demands cross-sector attention. Thank you.
Further reading
Home Internet connected devices facilitate criminal activity. Public Service Announcement. Alert number: I-060525. Published June 5, 2025. Federal Bureau of Investigation (FBI)
Shining light into the tunnel: Understanding and classifying network traffic of residential proxies. Paper. Published April 2024 via Arxiv. by Ronghong Huang, Dongfang Zhao, Xianghang Mi, Xiaofeng Wang. Cornell University
Cybercriminals are hiding malicious Web traffic in plain sight. Article. June 6, 2025. by Lily Hay Newman. Wired
