Google Dismantles IPIDEA Proxy Network Used by 550+ APTs

Google and its partners have dismantled IPIDEA, one of the world's largest residential proxy networks, which threat actors from China, North Korea, Iran, and Russia were actively exploiting to mask their attack infrastructure. The disruption, announced January 29, represents a significant blow to the cybercriminal ecosystem that relies on hijacked consumer devices to route malicious traffic.

What Is IPIDEA?

IPIDEA is a residential proxy service operated by a Chinese company that controls multiple ostensibly independent proxy and VPN brands including 922 Proxy, 360 Proxy, Luna Proxy, Galleon VPN, and Radish VPN. Unlike datacenter proxies that use commercial IP addresses, residential proxies route traffic through ordinary consumer devices—making malicious connections appear to originate from legitimate home users.

The service enrolled devices without owner consent through malicious SDKs embedded in trojanized applications. Google identified at least 600 Android apps containing proxy SDKs (Packet SDK, Castar SDK, Hex SDK, Earn SDK) and over 3,000 Windows binaries disguised as system utilities like OneDrive sync tools or Windows Update.

Scale of the Threat

In a single seven-day period this month, Google Threat Intelligence Group observed over 550 distinct threat groups using IPIDEA exit nodes to obscure their activities. These included advanced persistent threat (APT) groups from four nation-states conducting espionage, credential stuffing, and initial access operations.

The malicious activity spanned:

• Access to victim SaaS environments
• Penetration of on-premises infrastructure
• Password spray attacks against enterprise targets
• Reconnaissance and data exfiltration

At the time of disruption, IPIDEA operated approximately 7,400 tier-two command-and-control servers globally to manage traffic routing across its network of millions of compromised devices.

Coordinated Takedown

Google pursued a multi-pronged approach combining legal action with technical enforcement. The company obtained court orders to seize domains used to control infected devices and manage proxy traffic. This cut off attackers' ability to route connections through the compromised device pool.

The collaboration extended across the security industry. Spur and Lumen's Black Lotus Labs provided intelligence on the scope of residential proxy networks. Cloudflare disrupted IPIDEA's domain resolution infrastructure, degrading both command-and-control capabilities and the company's ability to market its services.

For Android users, Google Play Protect now automatically warns about and removes applications containing IPIDEA SDKs, while blocking future installation attempts on certified devices with Google Play services.

Why Residential Proxies Matter to Defenders

Residential proxy networks pose a particular challenge for security teams. When an attack originates from what appears to be a Comcast or Verizon home IP address, it bypasses geographic blocklists and blends with legitimate consumer traffic. This makes attribution difficult and increases false positive rates for IP-based detection.

The CyberAv3ngers campaign we covered last week demonstrated how Iranian threat actors increasingly rely on proxy infrastructure to obfuscate attack origins. Similarly, the APT28 credential harvesting operations targeting the Balkans and Central Asia benefited from residential proxy services that made phishing infrastructure harder to track.

Organizations should treat connections from residential IP ranges with additional scrutiny, particularly for administrative interfaces and sensitive authentication endpoints. The Fortinet authentication bypass attacks we've tracked show how threat actors combine residential proxies with vulnerability exploitation for maximum stealth.

Recommendations

1. Monitor for proxy indicators - Implement detection for known residential proxy ASNs and IP ranges in network traffic
2. Harden authentication - Require multi-factor authentication and implement impossible travel detection
3. Audit Android devices - Enterprise mobile device management should scan for IPIDEA SDK indicators
4. Review SaaS access logs - Look for anomalous login patterns from residential IP ranges

Google notes the disruption reduced IPIDEA's available device pool by millions, though the company expects operators to attempt rebuilding the network. The technical intelligence shared with law enforcement and security firms should help identify future iterations.