Authors: Nick Sundvall, David Brunsdon
On January 13, we published our findings on the Kimwolf Botnet inside our enterprise customer networks. We were alarmed to find ~25% of our customers had the Kimwolf domain in their networks, driven by residential proxies. Today, we follow up on that reporting by looking at the impact of residential proxies across our customer base by compiling billions of DNS resolutions and the associated network telemetry. Surprisingly, we found that over 65% of Infoblox Threat Defense Cloud customers made queries to the domains used to access or orchestrate residential proxy networks in 2026. The stunning prevalence of these services within customer environments warrants attention from both network defenders and policy makers who should consider how the risks posed by residential proxies could be impacting their security posture.
With residential proxies in the corporate environment, access is granted to an organization’s IP space. If threat actors were to abuse the residential proxy to attack a third party, the third party’s incident response would, correctly, identify your residential proxy as the source. Untangling that, by proving that you were the conduit and not the threat actor, costs time, creates legal exposure, and can damage your reputation.
At Infoblox, we have a unique perspective into the use of residential proxies, as illustrated in Figure 1. Devices on our customers’ networks use our recursive resolvers, not just for typical, user-initiated traffic, but also to resolve the domains used to orchestrate the residential proxies, and even to resolve the domains accessed by the external proxy users. This means that content filtering policies are enforced unilaterally, with malicious or unwanted domains handled and reported on based upon the customer’s security configuration. This visibility into the use of residential proxies is clearly advantageous; however, it is not without its challenges. Actors leveraging residential proxies are unlikely to adhere to acceptable use policies, and their activity often includes access to suspicious, malicious, or policy-violating domains. As a result, this traffic can generate a disproportionate volume of security alerts, effectively surfacing abuse that would otherwise remain obscured and increasing the analytical burden on defenders.
Figure 1: Infoblox visibility into residential proxies.
We used our visibility into DNS queries and a newfound appreciation of residential proxies to evaluate the breadth and depth of their use in our cloud customer environment. In addition to 65% of the customer base querying residential proxy related domains, we saw steady growth in these queries in 2025, with a 25% increase over the year to over 500 billion per month. Despite actions taken against one service, IPIDEA, in January 2026 and heightened awareness of the risks associated with these services, we have seen no reduction in their use. Indeed, we saw curious traffic anomalies around the time that action was taken against IPIDEA.
While there are many potential sources for these queries, from mobile apps to browser extensions to rogue TVs, we saw clear trends in the dominant services being contacted, both in volume of queries and breadth of customers. The most seen proxy service is associated with scraping for AI models, but we also saw applications that network owners may be unaware are active on devices; much less are part of residential proxy pools. In a bit of irony, users of residential proxies are impacted by customer protective DNS policies, which may restrict access to malicious domains. The purpose of this blog is not to point fingers, but to raise awareness of how present they can be in a network and the impact they can have on DNS volumes.
During the last several months, we have collaborated with Synthient to better understand residential proxies and identify how these services, and the malicious actors who sometimes promote them, impact global networks. Each of us has a different perspective on the traffic, and Synthient has written “Who Are the Victims of Residential Proxies?” from theirs.
So, What Are Residential Proxies?
A residential proxy routes internet traffic through devices that belong to everyday consumers such as home routers, mobile devices, IoT devices, and devices with applications embedded with proxyware. Related obfuscation tools such as Tor and commercial VPNs will produce anonymized traffic. The destination knows the connection is masked, even if it doesn’t know by whom. Residential proxies produce laundered (disguised) traffic—the destination believes it knows exactly who is connecting, but it is wrong.
This is exactly what makes residential proxies valuable to attackers:
- They evade IP reputation systems that protect datacenter infrastructure
- They bypass fraud detection and verification controls
- They allow abuse traffic to blend into “normal” consumer noise
Residential proxies can source their IP addresses ethically by being up-front to users about what their apps are doing and how it may impact them. But in many cases, these proxies are installed non-consensually and can be implanted maliciously as proxyware, which in this case, is an attack similar to cryptojacking. With cryptojacking, the attacker consumes energy and CPU time, but with unauthorized proxyware, it’s bandwidth and IP space that is taken. Actors love to embed proxyware in devices and applications that are internet accessible, and that are always on.
Application developers can embed software development kits (SDKs) provided by the residential proxy networks into their products to monetize their software, allowing them to receive a small amount of money on each installation. Because of this, devices are frequently enrolled without the owner’s knowledge, typically through free applications such as:
- VPNs
- Streaming apps
- Screensavers
- “Productivity” apps such as PDF viewers and break reminders
Low-cost IoT devices, such as digital picture frames or media streaming devices, have also become a popular home to these SDKs. Some of these devices come with proxyware pre-installed, while others receive the capabilities through updates from unofficial app stores.
Another concern is the potential for probing internal networks, as the Kimwolf Botnet did. An ethically designed residential proxy would block routing to internal IP addresses, but if the app allows for it, threat actors would be able to launch attacks on internal devices.
From the end user’s perspective, nothing looks wrong, and the bandwidth consumed is not always significant, so they may not notice anything out of the ordinary. However, when crossing over into a corporate environment, from a network defender’s perspective, the unwelcome traffic carries risks that the end user does not fully realize.
In this report, we examine the queries to the different residential proxy services. We are not stating whether we believe specific proxies are “ethical” vs. “non-ethical” or malicious vs. benign. That said, many residential proxy services operate in a grey space, and we have observed activities from some organizations that raise questions about their stated commitments to ethical practices. Moreover, many of these proxies use lookalike domains that look like other residential proxies, which lowers our confidence in their legitimacy as well as our confidence in attribution.
One thing our research could not determine was exactly how much residential proxy usage is intentional. Details such as how a provider sources their IP addresses are not always clear, and many use confusing or buried disclosures in their policies. In one provider’s policies we reviewed, the substantive description of the proxy arrangement appeared only after navigating through three separate documents from two affiliated companies. A concern remains that the residential proxy market is supported in significant part by users who may not fully understand the nature of their participation.
A Growing Presence in Customer Traffic
Across our customer base, residential proxy–related DNS traffic is both significant and increasing. Between January 2025 and April 2026, we observed that the total number of monthly queries to residential proxy domains steadily grew from nearly 400 billion to over 500 billion—an increase of ~25% (as shown in Figure 2). There are likely several explanations for this: certainly, the rise in AI-related training, which often requires scraping websites, is a major driver of residential proxy demand. Residential proxies bypass many anti-scraping measures, as the traffic appears to be coming from the devices of real people.
Figure 2: Graph showing the total number of queries to residential proxies by month
Figure 3 shows the number of queries from our cloud customers to domains associated with Infatica. For over two weeks, there is a relatively low volume, tens of thousands of queries per day, which then quickly ramps up to around 1 million queries per day. Interestingly, this spike happens shortly before Google took down IPIDEA.
Figure 3: Graph of the number of queries to Infatica domains during January 2026. The dips in volume on the 24th, 25th, and 31st are likely due to those days being weekends when fewer enterprise employees were working.
During the days around the takedown of IPIDEA, some kind of chaos ensued of a nature we are not confident in explaining. Figure 4 demonstrates the number of customers observed calling out to ipinfo[.]ipidea[.]io. While a spike in total queries to that domain occurred at the same time, it’s the number of customer networks impacted growing by 265% in a single day that is particularly remarkable. We asked several experts in the residential proxy space about the jump, but none had an explanation.
Figure 4: Graph of the number of customers querying ipinfo[.]ipidea[.]io. A large increase in customers querying the domain (over 265%) occurs on January 23rd. The number of customers querying the domain begins a dramatic drop around the announcement by Google on January 28th.
As seen in Figure 5, several well-known residential proxy providers stand out due to the number of cloud customer networks they appeared in.
Figure 5: Graph of the percentage of cloud customers that have queried each proxy service or botnet
- Brightdata is by far the most frequently observed proxy service we see, appearing in over 50% of cloud customers. Both Brightdata and Oxylabs offer residential proxies for businesses, advertising that they can be used for web scraping to train AI.
- Hola VPN is advertised as a free VPN, but it is in fact a residential proxy service offered in conjunction with an affiliated company, and the free browser extension provides the supply side of the proxy network. Users who install Hola become “peers” whose IP addresses are used as exit points for the affiliated company’s commercial customers.
- Honeygain is a residential proxy that pays users to allow others to use their residential IP address as a proxy. Honeygain also runs CareBuzz, which is a similar product but claims to give the revenue to a charity of the user’s choosing.
- Grass is a residential proxy that states that it “turns your unused internet into rewards automatically” and pays out the rewards in cryptocurrency, namely the $GRASS token. Grass was reportedly pre-installed on Superboxes, Android TV streaming devices, adding users to the network without their knowledge. According to previous reporting by Krebs on Security, the CEO of Grass said he had no connection with Superbox and “It looks like these boxes are distributing an unethical proxy network which people are using to try to take advantage of Grass”. Regardless of how Grass is distributed, it has a large presence across our customer base.
Figure 6 illustrates a broad impact of residential proxies across our customer base, with at minimum 40% of our customers in each vertical market containing such traffic.
Figure 6: Graph of what percentage of each industry has queried residential proxies
Over 90% of our pharmaceutical and food & beverage customers have queried residential proxy indicators. Perhaps even more concerning is that over 60% of government and banking customers have as well.
To look deeper into the usage of residential proxies, we created a heatmap (Figure 7), which illustrates the popularity of specific residential proxy services in various industry vertical markets. The appearance of education at the top seems unsurprising, because there could be many students on higher-education networks willingly trading access to their network for monetary compensation. After education, however, the results are more concerning from a security professional’s perspective: pharmaceutical, electronics, industrial, and healthcare all show strong residential proxy use. In our experience, companies in these verticals tend to have a much lower tolerance for risk, so these network defenders might want to take note of services that appear in their network traffic. Some of the residential proxy services might have a valid business reason, while others may not.
Figure 7: Heatmap of proxies in various industries
Every organization has unique security concerns, but we recommend the following:
- Risk-averse organizations should consider mechanisms, including Protective DNS, to detect and block unauthorized residential proxies within the network.
- Review your DNS query logs, if you have them, for the presence of queries to known residential proxy domains.
- Review installed applications, browser extensions, and IoT devices within your network for residential proxy usage.
- If you use Protective DNS, check your current response policies. Risk-averse organizations should consider blocking bogon resolutions, as well as suspicious and malicious domains
- Check your IP addresses with Synthient or another organization tracking residential proxies.
