by: Larissa Knapp, EVP and Chief Content Protection Officer, Motion Picture Association, and Noopur Davis, Executive Vice President, Chief Information Security and Product Privacy Officer, Comcast Corporation
As we learned in Part 1, a residential proxy is software that secretly turns your personal device – a smartphone, connected TV device, computer, or IoT appliance – into a relay point for other people’s internet traffic. Once compromised, your IP address can be used by criminals to conduct online activity that appears to originate from your home. Today we will examine the hidden economy of residential proxies.
The Criminal Economics of Proxy Infrastructure
Behind the scenes, there is also a hidden economy that monetizes proxy access:
- Buyers (advertisers, scrapers, fraudsters) pay for access to compromised IP addresses across residential, business, and enterprise networks.
- Marketplaces facilitate this trade, allowing real-time bidding on desirable IP blocks.
The most valuable IP addresses tend to be:
- Low-risk and clean in reputation
- High in bandwidth
- Strategically located (e.g., specific ISPs or geographies)
This demand drives continued exploitation and fuels the expansion of these illicit ecosystems.
What makes proxy abuse across residential, business, and enterprise networks particularly challenging is the decentralized nature of the marketplaces where access to these proxies is sold. These markets operate largely in the shadows, connecting buyers—including fraudsters, scrapers, and cybercriminals—with ready access to compromised IPs across residential, business, and enterprise networks sourced through questionable means.
These platforms often use sanitized language like “ethical proxy service” or “opt-in user base,” while offering little to no transparency about how their IPs are acquired or, even more important, who ultimately uses the proxy services and for what activities. Buyers can target specific geographies, bandwidth levels, or reputation scores, while the true owners of those IP addresses remain unaware that their networks are being exploited.
Proxy marketplaces now offer targeting by region, ISP, IP reputation, and bandwidth—all in service of illicit customers. Massive supply pools (10M+ devices) allow for scalable infrastructure with little investment. These services further allow bad actors to anonymize and undermine the operation of a responsible internet ecosystem.
This ecosystem echoes past proxy services like 911 S5, used to route traffic through compromised machines globally. While authorities sanctioned operators in 2022, the business model has evolved into newer, more automated botnets.
Key insights from the 2025 F5 Advanced Persistent Bots report confirm that many proxy services rebrand across multiple domains to evade detection and continue to bypass bot defenses via dynamic traffic flow.
Trend Micro’s recent whitepaper from May 2025 underscores how residential proxies now serve as a core enabler for cybercriminals seeking to circumvent anti-fraud systems built for detecting data center IP patterns.
Why This Threat Demands Cross-Sector Attention
- Entertainment & Rights Protection: Piracy rings exploit residential proxies to evade enforcement, distribute content peer-to-peer, and replicate geo-spoofed streaming access.
• AdTech & Marketing: Ad fraud networks funnel billions in revenue through proxy-routed impressions and synthetic audience generation.
• Finance & Risk Teams: Credential stuffing and bot-based account takeover campaigns leverage clean-looking residential IPs to avoid rate limit thresholds.
• Critical Infrastructure & IoT Security: Compromised devices in homes—acting as proxy nodes—become entry points for broader network abuse and lateral movement.
Conclusion: Time to Recognize Proxy Abuse as Strategic Threat Infrastructure
From the BADBOX revelations by IC3 to the decades-long persistence of proxy botnets like ImageProxy and Anyproxy—residential proxies are no longer fringe. They are core infrastructure for modern cybercrime.
This threat exploits normal consumer trust in home devices, enabling anonymity, evasion, and persistence. Tackling this challenge requires not just awareness—but regulatory oversight, industry partnerships, and operational vigilance. As defenders, regulators, and industry leaders, we must understand this ecosystem in detail to confront it effectively.
Why it matters
Our digital identities—once a cornerstone of trust and personalization—are now being weaponized to serve criminal economies hiding behind residential proxies. This exploitation not only erodes user privacy but introduces friction into everyday online experiences, from login failures to account lockouts and degraded service quality. All this benefits threat actors who profit from the anonymity and legitimacy our IP addresses provide. The time to act is now. We must recognize that the misuse of residential proxies is not just a technical nuisance—it’s a strategic threat to digital trust, consumer safety, and the integrity of the internet itself.
Up next
In our follow-up article, we will reveal what the Comcast Threat Research Laboratory have uncovered about this hidden threat—including real-world telemetry and trends that show just how pervasive ResProxy abuse has become.
Futher reading
MPA: The criminal infrastructure hiding in plain sight: Residential Proxies, Part 1. Article. September 24, 2025. by Larissa Knapp, EVP and Chief Content Protection Officer, Motion Picture Association, and Noopur Davis, Executive Vice President, Chief Information Security and Product Privacy Officer, Comcast Corporation
2025 Advanced Persistent Bots Report. In-depth article. March 2025. by Tafara Muwandi (additional contributions by David Warburton, Malcolm Heath & Tom Dillon), F5 Labs
The rise of residential proxies as a cybercrime enabler. In-depth article. May 27, 2025. by Feike Hacquebord, Philippe Lin, Fyodor Yarochkin, Vladimir Kropotov. Trend Micro
911 S5 Botnet dismantled and its administrator arrested in coordinated international operation. Press release. May 29, 2024. US Depatment of Justice
Botnet dismantled in international operation, Russian and Kazakhstani administrators indicted. Press release. May 9, 2025. US Department of Justice (Note: This references Anyproxy/5Socks malware)
