Google Takes Down Proxy Network Used by 550+ Hacker Groups
â–Ľ Summary
– Google disrupted the Ipidea residential proxy network, which cybercriminals used to hide attacks, by taking down its control and marketing domains.
– The network consisted of millions of home IP addresses, often enrolled when users downloaded trojanized apps or software promising to monetize their bandwidth.
– While residential proxies have legitimate uses, Ipidea was heavily abused by threat groups for credential theft, malware, and evading security detection.
– Google identified and is blocking over 600 Android apps containing Ipidea’s SDKs to protect users and degrade the network’s device pool.
– The operation targeted a Chinese-operated network controlling several proxy brands and shared intelligence with other platforms and law enforcement to amplify the impact.
In a significant cybersecurity operation, Google has successfully disrupted a massive residential proxy network known as Ipidea, which was being exploited by hundreds of hacker groups to conceal their attacks. The tech giant’s Threat Intelligence Group (GTIG) announced the takedown, revealing that the network, composed of millions of compromised user devices, served as a critical obfuscation layer for malicious activities ranging from infiltrating corporate software to launching password spray attacks.
During just one week in January 2026, GTIG observed over 550 distinct threat groups leveraging Ipidea’s exit nodes. These groups, hailing from nations including China, North Korea, Iran, and Russia, used the network to mask their origins while targeting victim software-as-a-service environments, on-premises infrastructure, and more. Residential proxy networks function by routing internet traffic through the real IP addresses of ordinary home devices, making malicious traffic appear legitimate and geographically dispersed.
Operating such a network requires control of millions of residential IP addresses. Providers typically achieve this scale by installing proxy software on consumer devices. This happens either through pre-loaded software on hardware, or more insidiously, when users download trojanized applications containing hidden proxy code. Some individuals may willingly install this software, enticed by offers to monetize their unused internet bandwidth. Once a device is enrolled, the proxy provider sells access to its network connection and IP address to customers.
While these proxies have legitimate applications, such as market research, price comparison, and cybersecurity testing, they are heavily abused by criminals. Malicious uses include credential stuffing, data scraping, ad fraud, and hiding command-and-control servers for malware. IP addresses located in the United States, Canada, and Europe are especially prized for their perceived trustworthiness and lower suspicion from security systems.
Google’s investigation identified Ipidea as a Chinese-operated service controlling several other proxy and VPN brands, including 922 Proxy and Radish VPN, suggesting a consolidated market behind a facade of fragmentation. To dismantle the network, Google took down the command-and-control domains used to manage infected devices and proxy traffic, along with domains marketing the proxy software and its software development kits (SDKs).
The company also identified over 600 seemingly harmless Android applications that incorporated Ipidea’s SDKs. To protect users, Google enforced its platform policies, ensuring that Google Play Protect on certified devices automatically warns users, removes these apps, and blocks future installation attempts. This action is believed to have removed millions of devices from the proxy pool, severely degrading Ipidea’s operations.
By sharing detailed intelligence on Ipidea’s SDKs and infrastructure with other platform providers, law enforcement, and research firms, Google aims to spur further action to limit the network’s reach. The takedown highlights the ongoing battle against cybercriminal infrastructure that exploits everyday internet users’ devices to enable global attacks.
(Source: HelpNet Security)
