UK warns Chinese hackers use proxy networks to evade detection

The United Kingdom’s National Cyber Security Centre (NCSC-UK) , alongside a coalition of international intelligence partners, has issued a stark warning: Chinese-linked hackers are increasingly relying on massive proxy networks built from compromised consumer devices to mask their digital footprints and slip past traditional defenses.

The joint advisory, endorsed by agencies from the United States, Australia, Canada, Germany, Japan, the Netherlands, New Zealand, Spain, and Sweden, reveals a significant tactical shift. Instead of using dedicated, individually purchased infrastructure, most Chinese hacking groups now command vast botnets composed of hijacked devices. The primary targets for compromise are small office and home office (SOHO) routers, alongside internet-connected cameras, video recorders, and network-attached storage (NAS) equipment.

These sprawling networks function as sophisticated relay systems. Attackers route malicious traffic through a chain of compromised devices, entering at one point, hopping through multiple intermediate nodes, and emerging near their intended victim. This technique effectively obscures the origin of the attack and evades geographic-based detection.

“The NCSC believes that the majority of China-nexus threat actors are using these networks,” the advisory states. “Multiple covert networks have been created and are being constantly updated, and a single covert network could be being used by multiple actors.” The report emphasizes that these networks are “mainly made up of compromised SOHO routers, as well as IoT and smart devices.”

One prominent example is the Raptor Train botnet, which infected over 260,000 devices globally in 2024. The FBI linked this operation to the Chinese state-sponsored Flax Typhoon hacking group and the Chinese company Integrity Technology Group, which was sanctioned in January 2025. The FBI successfully disrupted Raptor Train in September 2024 with assistance from Black Lotus Labs, after tracing its use in campaigns targeting military, government, higher education, telecommunications, and defense industrial base (DIB) entities, primarily in the U. S. and Taiwan.

Another network, designated KV-Botnet, was leveraged by the Chinese state-backed Volt Typhoon threat group. It relied heavily on outdated Cisco and Netgear routers that no longer received security patches. The FBI dismantled KV-Botnet in January 2024 by wiping malware from infected devices, but Volt Typhoon began slowly reviving it in November 2024 after an earlier failed attempt in February.

“Botnet operations represent a significant threat to the UK by exploiting vulnerabilities in everyday internet-connected devices with the potential to carry out large-scale cyber attacks,” said Paul Chichester, NCSC-UK’s Director of Operations.

The advisory’s signatories warn that traditional defenses reliant on static lists of malicious IP addresses are losing their effectiveness. These botnets continuously add new compromised nodes, rendering such blocklists obsolete.

To counter this evolving threat, network defenders at organizations of all sizes are advised to adopt a multi-layered approach. Recommended measures include implementing multifactor authentication, mapping all network edge devices, utilizing dynamic threat feeds that incorporate known covert network indicators, and applying IP allowlists, zero-trust controls, and machine certificate verification where feasible.