Hydrolix – The growing threat of residential criminal proxies (June 2025)

Residential criminal proxies are a significant threat, allowing malicious actors to engage in a wide range of criminal activities while evading detection. Residential proxies are services that sell access to IP addresses from residential devices, often without the device owners’ consent. 

This post will discuss residential criminal proxies, their tactics, techniques, and procedures (TTPs), and the consequences they bring to the cybersecurity ecosystem. This includes how resident proxies work, how they are acquired for criminal behavior, criminal applications, and the challenges of of defending against them.

This post shares insights from a four-hour discussion at the NANOG Security Track hosted by Krassimir Tzvetanov, PhD on June 9, 2025. The session included members of federal law enforcement and cybersecurity experts, as well as technical insights, case studies, and a panel discussion addressing mitigation strategies and community collaboration. 

Introduction to Residential Proxies

Residential proxies are services that provide access to IP addresses from home devices, allowing users to select IPs by country, state, or city. Unlike VPNs, which rely on data center servers, residential proxies offer IPs from residential IP space and small towns, such as Corvallis, OR, or Brock, TX, making them harder to trace. In addition, they can also offer IPs from corporate, government, and other networks if co-opted devices are present.

These services are able to hyperscale. There are approximately 100 million residential IP addresses in the U.S. alone, compared to tens of thousands of VPN servers globally. This vast scale complicates tracking and distinguishing legitimate from malicious traffic. This provides a vast number of “clean” IPs that evade fraud detection systems used by banks and retailers, as they have not accrued negative reputation. 

While in most cases, proxies are not used to cause misattribution, when they do, they take away resources from enterprises and law enforcement. Even worse, they cause incredible inconvenience and stress to users who are accused of a crime and visited by law enforcement.

Potential Threats from Residential Proxy Applications

Criminals refer to these services as “socks” or “socks5” (derived from the SOCKS5 protocol), and they have multiple criminal uses:

• Account takeovers: Accessing bank or email accounts using stolen credentials paired with a proxy IP matching the victim’s location.
• Credit card fraud: Using stolen card details through proxies to mimic the cardholder’s location, evading fraud detection.
• Unemployment insurance fraud: During COVID-19, proxies facilitated $6 billion in fraudulent claims by creating fake accounts, again exploiting the ability to fake the user’s location.
• Swatting and threats: Although regular proxies and VPNs work for this threat, using residential proxies can make malicious actors harder to detect while implicating innocent users.
• Terrorism and ransomware: Proxies are used for initial access in ransomware attacks or by terror groups to obscure activities.
• Bot automation: This includes sneaker bots, ticket scalping, and money laundering by reselling goods purchased with illicit funds.
• AI training: Some companies use residential proxies to acquire content to train AI, violating the ToS of the sources. By using a residential proxy, they are able to distribute their traffic through multiple IPs and preserve anonymity.
• DDoS: Some operators are using those proxies to launch attacks on websites. While the sheer amount of proxies can deliver large volumes of traffic, those usually are used in more sophisticated attacks as opposed to purely volumetric ones.

Residential proxy services advertise millions of IPs daily, claiming coverage in every city worldwide, and this claim is supported by what researchers observe. Investigations confirm proxies in nearly every country, except a few like North Korea and two Central African nations. High-demand IPs are from “high-trust” countries (such as the U.S., Western Europe, and Japan), with 80% of connections in one investigated service originating in the U.S. This leads to a big question: how are they able to acquire so many proxies?

Residential Proxy Acquisition for Malicious Actors

The methods used by those providers widely vary but from a criminal ecosystem point of view can be separated into two groups.

Classic Methods

• Exploiting vulnerable devices: Hackers target unpatched routers or internet of things (IoT) devices with firmware vulnerabilities, installing proxy backdoors. Recent law enforcement actions have disrupted such networks.
• Front software: Malicious apps, often disguised as free VPNs, include proxy backdoors. In some cases, the terms of service of these apps may mention resource sharing in fine print but often install backdoors silently, targeting Windows and Android devices.
• Pay-per-install: This approach leverages initial access brokers who specialize in device compromise and sell bulk access to those devices. Current prices vary between $0.60 and $1 per infection, while U.S.-based infections are more expensive.

New Methods

• Passive income apps: Users are paid to share bandwidth to supplement proxy networks. In most cases, this is a violation of the ToS of their local ISPs but enforcement by internet providers appears to be lax.
• Software development kits (SDKs): Developers embed proxy code in mobile or TV apps for financial incentives, turning user devices into proxies.
• Hardware supply chain attacks: Back doors are embedded in device firmware during manufacturing, particularly in Android-based streaming devices or TVs. Examples include “B-Box” malware and pirated streaming apps. In addition, some vendors use common embedded Linux distributions that can be compromised.
• App repackaging: While this is mostly used for video games, it has also been observed in other applications. A service can pirate a game or another application and then repackage it to include the proxy, then post it to a pirated software torrent.

Examples of High Scale Proxy Acquisition

One service scaled to 19 million devices by repackaging pirated AAA video games with silent proxy installers. These were distributed via torrent sites like The Pirate Bay, targeting users in sanctioned countries like Iran. Users unknowingly installed VPN-like apps that turned their devices into proxies, generating $120 million over seven years for the service.

Another example is the use of Video/IP TV streaming devices. Some Android-based streaming boxes contain backdoors in launchers or pre-installed apps. These devices, sold for piracy, connect to C2 servers after delays to evade detection. Firmware analysis shows that some even employ multi-stage infections. For example, a Python script evolves into a log file, then a binary, loading different proxy backdoors per stage.

Last but not least, the FBI’s takedown of the 911 S5 service, in 2024, revealed some details of a significant operation. The actor was a major proxy provider, which used U.S.-based infrastructure targeted for low latency. The service sold 1 billion proxy tokens to 356,000 users, highlighting the scale of criminal demand. After the takedown, competitors moved the command and control (C2) servers overseas, reducing law enforcement visibility. (The FBI has an excellent write up on how to identify and remove backdoors.)

Criminal Proxy Market

Similar to the old days of spam, proxy IP addresses appear to go through a life cycle where they are used for an increasing number of activities. First, they are used for high-value financial crime, then online platform account takeover, then content scraping, AI training, bot automation, and finally for DDoS.

After the 911 S5 proxy service was dismantled in May 2024, competitors released front ends quickly, capturing the market. In some cases, there may be multiple front ends to the same back end network of proxies. Payments usually are organized through the use of tokens (for example, 5 tokens for 4 hours of proxy access) or bandwidth-based billing, often via third-party processors or cryptocurrency.

Proxy services themself are usually not sufficient to conduct most crimes. While they provide the ability to bypass geolocation detection, which is a layer 3 issue, they need to be augmented by other tools to help obscure the criminal action at higher layers. This includes anti-detect browsers, which mask browser fingerprints, allowing criminals to scale fraud (such as credential stuffing) by mimicking legitimate users. In addition, they need tools that help criminals manage multiple proxies. Proxy managers like Foxy Proxy route traffic through specific victim IPs, enhancing impersonation.

The Challenges of Defending Against Residential Criminal Proxies

Malicious use of residential proxies is a strongly asymmetric threat on its own, and it makes other threats asymmetric as well. One serious issue is detection difficulty. Proxy traffic mimics legitimate user activity, and services use dynamic domains (not hardcoded IPs), complicating blocking efforts.

One of the challenges is that malicious traffic is coming from legitimate autonomous systems (AS) attributed to residential users. The IP addresses themself do not have any negative reputation and even more, if a provider like Google detects issues and sends a captcha or other verification, the legitimate user of the proxy would complete the challenges successfully. 

Even if malicious activity is detected, many service providers and banks will opt out of blocking the IP address, as they do not want to create additional friction for the legitimate users of the proxy.

Another issue stemming from the above mentioned traffic mix is misattribution. It is very serious as it victimizes innocent citizens, who are unaware their devices are proxies, leading to law enforcement knocking on their doors.

Many of these providers include language in their terms of service that alludes to internet resource sharing. Depending on the court interpretation, this may be seen as legitimate consent. And some proxy providers are initiating a legal process, openly arguing that they are legitimate businesses. They have even litigated against researchers who have publicly accused them. This includes security companies receiving cease and desist letters, although in mentioned cases that I’m aware of, the proxy service did not proceed with litigation. One possible reason: if there is litigation in US court, the discovery phase may create a serious issue for the service provider as they may be compelled to disclose their business records.

The NANOG panel also discussed some additional major challenges:

• Scale of fraud: Retailers and banks lose billions annually to proxy-enabled fraud. Due to FDIC insurance, so does the government ($50,000 per fraudulent bank account), which is adding to the toll.
• ISP reluctance: ISPs hesitate to block traffic due to legal risks, customer backlash, and the need for transparent threat intelligence. Small ISPs, with limited resources, fear losing customers to larger competitors like Comcast.
• User education: Victims often learn about pirated devices via word-of-mouth or Reddit astroturfing, not realizing they’re enabling crime. Public education campaigns are proposed but face trust issues if led by ISPs or government. Users must learn about the issue through sources they trust.

Defender Solutions

Proposed solutions overall can be divided in three categories: technical interventions, community collaboration, and demand-side pressure. 

Technical Interventions

Technical interventions include null routing and sinkholing of the C2 domains or IPs, though this will likely not be effective since it is relatively easy to rotate the C2.

Threat intelligence sharing is essential to addressing this problem. However, there currently isn’t a platform for ISPs, researchers, and law enforcement to share IOCs (indicators of compromise) that could map proxy networks. One of the concerns about the creation of such platforms is that they may be infiltrated by malicious parties, so vetting is a concern.

One of the more scalable methods may be to feed C2 information in app stores to provide intelligence and assist in application vetting. Once an application is flagged because it talks to a particular C2, it can be manually examined and the entire publisher and all of their apps blocked.

The second category, community collaboration, has multiple facets. Fusion centers, as well as companies like the National Cyber-Forensics Training Alliance (NCFTA), Team Cymru, and Shadowserver Foundation could coordinate efforts. In addition, academic institutions such as Purdue University have strong computer science and digital forensics programs but funding is a barrier.

Small ISPs lack the financial capability, so they may need to rely on grants to support threat intelligence platforms or leveraging student researchers for cost-effective solutions.

Another major point that was discussed is industry self-regulation (hosting providers policing bad actors). This approach is preferred over government mandates, which risk overreach and increasing the operating costs for the ISPs.

Demand-Side Pressure

The last category is demand-side pressure. Some of the large consumers of these proxy networks are AI companies, which use the services for web scraping. There needs to be education and potentially litigation when those companies are negligent with their selection of proxy providers. Community consensus documents could also pressure hosting providers to drop bad actors, similar to past anti-spoofing efforts.

Education campaigns can also be used to drive anti-piracy messaging and highlight cybercrime risks (such as misattribution) rather than moralizing. Community-driven campaigns, possibly via civil society groups like the Internet Society or academia, could build trust.

The NANOG panel also discussed continued collaboration, in the form of trust and working groups. The speakers proposed continuing offline discussions to sustain momentum—including this post, which includes this session’s insights.

Additional Concerns Around Residential Proxies

The session concluded with a discussion on the ethical and practical concerns. Misattribution risks were top of mind. Innocent victims face law enforcement scrutiny due to proxy misuse. Emphasis needs to be on thoroughness of investigations and requiring multiple artifacts (not just IP addresses) to establish probable cause. Law enforcement representatives at the session were not aware of innocent users being prosecuted solely for proxy traffic, but the risk persists.

The panel also debated whether “ethical” residential proxies exist. Some argue no service can scale ethically without compromising devices, while others note providers like Bright Data enforce KYC (know-your-customer) policies, unlike overtly criminal services like 911 S4.

The last serious concern was about supply chain integrity and threats. Firmware backdoors in devices from certain countries raise national security concerns, likened to past DDoS botnets. This suggests coordinated international efforts are needed.

Conclusion

Residential proxy services are a pervasive tool for cybercrime, enabling fraud, ransomware, and terrorism while victimizing device owners. Their scale, technical sophistication, and misattribution risks pose unique challenges. Mitigation requires a blend of technical disruption, community intelligence sharing, and demand-side pressure on industries like AI. The session underscored the need for collaborative, transparent solutions to protect networks and users while respecting privacy and legal constraints.

Further Reading

• The Rise of Residential Proxies as a Cybercrime Enabler
• How to Identify and Remove VPN Applications That Contain 911 S5 Back Doors
• Router Roulette: Cybercriminals and Nation-States Sharing Compromised Networks
• PODCAST: The 911 S5 Cyber Threat
• Guidance on the 911 S5 Residential Proxy Service