Google Disrupts Major Residential Proxy Network Linked to Global Cybercrime

Google has moved to disrupt what it says is one of the largest residential proxy networks in operation, cutting off infrastructure that allegedly allowed cybercriminals and espionage groups to route activity through millions of unsuspecting consumer devices.

In a statement released this week, the company said it coordinated with industry partners and law enforcement to take down key parts of the IPIDEA residential proxy network. The effort included legal action against domains used to control infected devices, intelligence sharing on malicious software components, and platform enforcement to prevent further spread.

“This week, Google and partners took action to disrupt what we believe is one of the largest residential proxy networks in the world, the IPIDEA proxy network,” the company said. “IPIDEA’s proxy infrastructure is a little-known component of the digital ecosystem leveraged by a wide array of bad actors.”

Residential proxy networks sell access to real internet service provider-assigned home IP addresses, making malicious traffic harder to detect. To operate at scale, they rely on large numbers of consumer devices that act as exit points. Google Threat Intelligence Group said many of these devices were enrolled without clear consent via software development kits embedded in mobile and desktop apps or through misleading bandwidth-sharing schemes.

According to Google, IPIDEA has been heavily used by cybercrime groups, botnets, and state-linked actors. In one seven-day period in January 2026, researchers observed more than 550 tracked threat groups using IPIDEA-linked IP addresses to mask activities such as account intrusions and password attacks.

“We believe our actions have caused significant degradation of IPIDEA’s proxy network and business operations, reducing the available pool of devices for the proxy operators by millions,” Google said, adding that shared device pools could mean knock-on effects for affiliated proxy services.

As part of the crackdown, Google said it enforced Android platform policies to ensure Play Protect automatically warns users, removes apps containing IPIDEA-related software, and blocks future installation attempts on certified devices. The company also took legal steps to shut down domains used to market proxy services and to manage command-and-control operations.

The investigation found that several proxy and VPN brands presented as independent services were controlled by the same actors behind IPIDEA. Google said these operators distributed multiple SDKs across Android, Windows, iOS, and other platforms that quietly converted user devices into proxy nodes while claiming to help developers generate revenue.

“These SDKs are the core growth mechanism for residential proxy networks…often embedded without adequate disclosure, exposing users to abuse and security risks,” Google posted.

Beyond enabling illicit activity, Google warned that residential proxies can put consumers at direct risk. Devices used as exit nodes may carry unauthorized traffic, expose home networks to compromise, and leave users facing reputational or legal scrutiny if malicious activity is traced back to their connection.

Google said it worked with partners including Cloudflare, Spur, and Black Lotus Labs to disrupt IPIDEA’s infrastructure and share technical indicators with the wider security community.

While the company said the operation significantly weakened IPIDEA, it warned that the broader residential proxy market continues to expand.

“We encourage mobile platforms, ISPs and other technology companies to continue sharing intelligence and applying best practices to identify illicit proxy networks and limit their harms,” Google said.

The company also urged consumers to avoid apps that offer payment for sharing internet bandwidth and to rely on trusted app stores and built-in security protections.