Google Disrupts IPIDEA Residential Proxy Network, Foiling Global Cybercrime

Google's Threat Intelligence Group (GTIG) has announced measures to disrupt IPIDEA, identified as a large-scale residential proxy network. This network reportedly routed internet traffic through millions of compromised consumer devices globally, enabling various threat groups to conduct cybercriminal activities while obscuring their origins. The disruption has significantly reduced the pool of available devices within the network.

"The disruption has significantly reduced the pool of available devices within the network."

How IPIDEA Operated

IPIDEA operated by routing internet traffic through real home internet connections, known as residential IPs. This method reportedly made it more challenging for security systems to detect and block compared to proxies based in data centers.

The network's infrastructure was embedded within hundreds of applications and Software Development Kits (SDKs), including PacketSDK, EarnSDK, HexSDK, and CastarSDK. These SDKs allegedly enrolled devices—including smartphones, Windows PCs, and other consumer hardware—into IPIDEA's proxy pool.

These SDKs allegedly enrolled devices...into IPIDEA's proxy pool without explicit user consent, effectively turning them into exit nodes for other users' traffic.

Investigators also reported that IPIDEA operators directly controlled some of the SDKs used for device enrollment. IPIDEA sometimes marketed its proxy software and SDKs as a method for users to monetize spare bandwidth. Residential IPs located in the United States, Canada, and Europe were noted as particularly sought after within the network.

Exploitation by Threat Actors

GTIG identified over 550 threat groups that utilized IPIDEA exit nodes during a seven-day period. These groups included cybercriminals and advanced persistent threat (APT) actors, some of whom were reportedly linked to China, Russia, Iran, and North Korea.

The proxy services supported a range of illicit activities:

• Credential stuffing
• Espionage
• Distributed Denial of Service (DDoS) attacks
• Concealing command-and-control operations

Beyond facilitating anonymity for cybercriminals, IPIDEA also reportedly enrolled some of the same recruited devices into larger botnets, including BadBox 2.0, Aisuru, and Kimwolf.

While residential proxies are not illegal and are sometimes promoted for privacy or freedom of expression, security researchers state that they are frequently exploited by threat actors.

Enrolled devices were also reportedly exposed to further attacks, as their systems could be used as launchpads to compromise other targets.

Google's Disruptive Measures

Google's Threat Intelligence Group (GTIG) implemented several measures to disrupt IPIDEA:

• Implementing legal and technical measures to dismantle dozens of IPIDEA-related domains that operated these networks and promoted its services.
• Updating Google Play Protect to identify and remove affected Android applications from devices.
• Sharing information and collaborating with security partners, including Lumen’s Black Lotus Labs and Spur for scale assessment, and Cloudflare to assist in disrupting IPIDEA’s domain resolution and backend systems.

Significant Impact, Ongoing Challenge

As a result of these interventions, the number of compromised devices available for misuse has reportedly decreased significantly. Approximately nine million Android devices linked to the network, along with hundreds of associated applications, were reportedly freed from the proxy pool.

The disruption is expected to reduce IPIDEA's available pool of devices by millions and to hinder the operators' ability to expand future malicious activities, potentially having downstream effects on affiliated operators and resellers.

While a significant portion of the network was affected, the entire IPIDEA network has not been eradicated.