**Google Targets IPIDEA in Crackdown on Global Residential Proxy Networks**
In a significant move to combat cybercrime, Google has disrupted one of the largest residential proxy networks in the world, IPIDEA. The network, which routes traffic through real ISP-assigned residential IPs, allows attackers to hide malicious activity and evade detection.
IPIDEA's proxy infrastructure is a little-known component of the digital ecosystem that is leveraged by a wide array of bad actors. The network requires millions of consumer devices enrolled as exit nodes, often via trojanized apps or deceptive "bandwidth monetization" offers.
Google's GTIG (Global Threat Intelligence Group) found that these networks, including IPIDEA, are heavily abused by cybercrime, espionage, and botnets such as BadBox2.0, Aisuru, and Kimwolf. In one week of January 2026, over 550 tracked threat groups used IPIDEA exit nodes.
Residential proxy networks endanger users by exposing their devices and home networks to unauthorized traffic, compromise, and reputational risk. Google's actions have caused significant degradation of IPIDEA's proxy network and business operations, reducing the available pool of devices for the proxy operators by millions.
The researchers discovered that many "independent" residential proxy and VPN brands are actually controlled by the same actors behind IPIDEA, including services like 360 Proxy, Luna Proxy, PIA S5, and Radish VPN. The group also operates multiple proxy SDKs (Castar, Earn, Hex, Packet) embedded into apps to monetize downloads and covertly turn user devices into proxy exit nodes.
Claims of ethical IP sourcing are often misleading, as many apps fail to disclose proxy enrollment, exposing users to abuse and risk. Multiple IPIDEA-linked SDKs (EarnSDK, PacketSDK, CastarSDK, HexSDK) share code and a common two-tier command-and-control infrastructure.
The IT giant coordinated with partners like Cloudflare, Spur, and Black Lotus Labs to disrupt operations and share intelligence. Google dismantled much of IPIDEA's infrastructure by taking down C2 and marketing domains, enforcing Play Protect to remove apps with IPIDEA SDKs, and blocking future installs.
Google warns residential proxies are a growing gray market enabling cybercrime and espionage, urges consumers to avoid "bandwidth sharing" apps and uncertified devices, and calls for stronger transparency, accountability, and industry-wide collaboration to curb abuse. The company encourages mobile platforms, ISPs, and other tech platforms to continue sharing intelligence and implementing best practices to identify illicit proxy networks and limit their harms.
**Indicators of Compromise (IOCs)**
- Tier Two node details: a2s4c2a5b3c4d1e6f7g8h9i0j5k6l7m8n9o1p2q3r4s5t6u7v8w9x
- Proxy SDKs (Castar, Earn, Hex, Packet) embedded into apps to monetize downloads and covertly turn user devices into proxy exit nodes.
- IPIDEA-linked SDKs (EarnSDK, PacketSDK, CastarSDK, HexSDK) sharing code and a common two-tier command-and-control infrastructure.
About the Author: Follow me on Twitter: @securityaffairs and Facebook and Mastodon for more updates on cybersecurity news and trends.