Key Findings

• Google and partners disrupted IPIDEA, one of the world's largest residential proxy networks, through legal domain takedowns, intelligence sharing, and ecosystem-wide enforcement.

• IPIDEA's proxy infrastructure was heavily abused by cybercrime groups, espionage actors, and botnets like BADBOX 2.0, Aisuru, and Kimwolf.

• Over 550 tracked threat groups used IPIDEA's exit nodes in a single week, exposing users' devices and networks to compromise and abuse.

• Google's actions significantly degraded IPIDEA's network, cutting millions of devices enrolled as exit nodes and potentially impacting affiliated proxy operators.

Background

Residential proxy networks route traffic through real ISP-assigned residential IP addresses, allowing attackers to hide their malicious activities and evade detection. These networks require enrolling millions of consumer devices as exit nodes, often through trojanized apps or deceptive "bandwidth monetization" offers.

Google's Threat Intelligence Group (GTIG) found that IPIDEA and similar residential proxy networks are heavily abused by a wide range of threat actors, including cybercriminals, espionage groups, and botnets. In just one week in January 2026, over 550 tracked threat groups were observed leveraging IPIDEA's exit nodes.

IPIDEA's Proxy Network

IPIDEA is not a monolithic entity but rather a collection of multiple well-known residential proxy brands under its control, including 360 Proxy, Luna Proxy, PIA S5, and Radish VPN. The same actors behind IPIDEA also operate several Software Development Kits (SDKs) for residential proxies, which are embedded into third-party apps to monetize downloads and covertly turn user devices into proxy nodes.

Disrupting IPIDEA's Operations

Google, in coordination with partners like Cloudflare, Spur, and Black Lotus Labs, took several actions to disrupt IPIDEA's operations:

• Takedown of key C2 and marketing domains used by IPIDEA

• Enforcement of Google Play Protect to remove apps with IPIDEA SDKs and block future installs

• Sharing of intelligence on malicious SDKs to enable ecosystem-wide enforcement

Impact and Significance

Google's actions are estimated to have significantly degraded IPIDEA's proxy network, reducing the available pool of devices by millions. This impact may also extend to other affiliated residential proxy operators due to the shared device pools.

The dismantling of IPIDEA's infrastructure is a major blow to the thriving global market for residential proxy services, which have become a pervasive tool for cybercrime, espionage, and other malicious activities. Google's efforts highlight the growing need for stronger transparency, accountability, and industry-wide collaboration to curb the abuse of these networks.

Sources

• https://thehackernews.com/2026/01/google-disrupts-ipidea-one-of-worlds.html

• https://securityaffairs.com/187463/security/google-targets-ipidea-in-crackdown-on-global-residential-proxy-networks.html

• https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network

• https://www.storyboard18.com/digital/google-dismantles-major-residential-proxy-network-to-curb-cybercrime-and-device-abuse-88431.htm

• https://gbhackers.com/ipidea-residential-proxy/

• https://www.reuters.com/technology/google-disrupts-large-residential-proxy-network-reducing-devices-used-by-2026-01-28/