Google disrupts IPIDEA residential proxy network used in cybercrime

Google announced Wednesday that it took legal action against IPIDEA, a residential proxy network the company said is overwhelmingly used to facilitate cybercrime.

Google accused IPIDEA, which it calls the “world’s largest residential proxy network,” of enabling threat actors such as botnet operators to conduct cyberattacks as well as allowing devices to be added to the network without the device owners’ knowledge or consent.

The company aims to disrupt the network through legal action to take down the domains used to control residential exit node devices and market its proxy software and software development kits (SDKs).

These SDKs — Castar SDK, Earn SDK, Hex SDK and Packet SDK — are marketed to developers as a way to monetize their applications, with the developer receiving payment from IPIDEA while those who install the app, often unknowingly, have their devices used as exit nodes for the proxy network, Google said.

These SDKs all share similar code structure and overlapping command-and-control (C2) infrastructure, first causing the device to connect to a “Tier One” server to share diagnostic information and receive “Tier Two” addresses, and then poll the these “Tier Two” addresses for proxy tasks, proxying any payload received through the device owner’s own IP address.

Related reading:

Threat actors use residential proxy network services to conceal the origin of cyberattacks, often targeting IP addresses from the United States, Canada and Europe, Google said. This proxying often makes cyberattacks more difficult to attribute and disrupt.

“These users knowingly or unknowingly provide their IP address and device as a launchpad for hacking and other unauthorized activities, potentially causing them to be flagged as suspicious or blocked by providers,” the Google Threat Intelligence Group (GTIG) wrote. “Proxy applications also introduce security vulnerabilities to consumers’ devices and home networks.”

IPIDEA's role in BadBox 2.0 botnet

In July 2025, Google filed a lawsuit against the operators of the BadBox 2.0 botnet, a botnet of more than 10 million uncertified devices running Android Open Source Project software. The company said IPIDEA SDKs played a “key role” in adding devices to the botnet and that the proxy service has also been recently used by the Aisuru and Kimwolf botnets as well.

This month, GTIG said it saw more than 550 threat groups using IP addresses associated with IPIDEA exit nodes, including threat groups from China, North Korea, Iran and Russia, conduct malicious activities like password spray attacks and intrusions into software-as-a-service (SaaS) environments and on-premises infrastructure.

The researchers noted that, in addition to trojanized Android, Windows, iOS and WebOS applications, threat actors have also pre-installed IPIDEA SDKs on uncertified devices such as television set top boxes and distributed them through the free VPN services Galleon VPN, Radish VPN and Aman VPN.

Google identified the proxy service itself being distributed under more than a dozen proxy and VPN brand names including 360 Proxy, Cherry Proxy, Door VPN and IP 2 World.

In addition to taking legal action to take down IPIDEA’s domains, Google shared its findings with industry partners and law enforcement, and added protections against IPIDEA SDKs to Android devices via Google Play Protect, which will automatically warn users and uninstall applications when these SDKs are detected.

Google worked closely with partners like Spur and Lumen’s Black Lotus Labs to aid its investigation into residential proxy networks, and also partnered with Cloudflare to disrupt IPIDEA’s domain resolution.

The company called for industry collaboration in intelligence sharing regarding illicit proxy networks, greater regulation to hold residential proxy providers accountable for unethical activity and greater scrutiny by application developers to vet the SDKs they incorporate into their projects.

Consumers are also advised to be wary of applications that offer to pay them for their “unused bandwidth,” only install applications from official app stores and review the permissions requested by the apps they install. Users should also ensure they purchase connected Android devices such as TV top boxes from reputable manufacturers, with the Android TV website providing a list of approved partners.