Google Disrupts IPIDEA, One of the World's Largest Residential Proxy Networks Used by 550+ Threat Groups
Google Threat Intelligence Group (GTIG) has led a coordinated disruption of IPIDEA, believed to be one of the largest residential proxy networks in the world. The operation reduced the network's available device pool by millions and exposed infrastructure leveraged by over 550 threat groups in a single week.
Scale of Abuse
In a seven-day period in January 2026, GTIG observed over 550 individual threat groups utilizing IPIDEA exit nodes to mask their activities, including actors from China, North Korea, Iran, and Russia. Activities included accessing victim SaaS environments, compromising on-premises infrastructure, and conducting password spray attacks.
IPIDEA's infrastructure has been linked to multiple botnets including BadBox2.0, Aisuru, and Kimwolf.
How the Network Operated
Residential proxy networks route malicious traffic through IP addresses belonging to ordinary consumers, making detection extremely difficult for defenders. IPIDEA built its network through:
- Malicious SDKs marketed to app developers as monetization tools (PacketSDK, EarnSDK, CastarSDK, HexSDK)
- Trojanized VPN applications (Galleon VPN, Radish VPN) that secretly enrolled devices as proxy exit nodes
- Pre-loaded malware on uncertified Android devices like TV set-top boxes
GTIG identified over 600 Android applications and 3,075 unique Windows executables connecting to IPIDEA's command and control infrastructure—including apps masquerading as OneDriveSync and Windows Update.
The IPIDEA Empire
Analysis revealed that multiple "independent" proxy and VPN brands are controlled by the same actors:
- 360 Proxy, 922 Proxy, ABC Proxy, Cherry Proxy
- Luna Proxy, PIA S5 Proxy, PY Proxy, Tab Proxy
- IP2World, Door VPN, Galleon VPN, Radish VPN
All share a common two-tier command and control system with approximately 7,400 Tier Two servers routing traffic globally.
Disruption Actions
Google's response included:
- Legal action to take down C2 domains and marketing infrastructure
- Google Play Protect updated to automatically detect and remove apps with IPIDEA SDKs
- Intelligence sharing with law enforcement, Cloudflare, Lumen's Black Lotus Labs, and Spur
Consumer Risk
Devices enrolled in residential proxy networks face significant security risks. GTIG confirmed that IPIDEA's proxy software not only routes traffic through devices but also sends traffic to them—effectively exposing home networks to attackers.
Indicators of Compromise
C2 Domains:
packetsdk[.]io
packetsdk[.]net
packetsdk[.]xyz
hexsdk[.]com
castarsdk[.]com
holadns[.]com
martianinc[.]coCode Signing Certificates (Hong Kong entities):
- HONGKONG LINGYUN MDT INFOTECH LIMITED
- FIRENET LIMITED
- PRINCE LEGEND LIMITED
- MARS BROTHERS LIMITED
- DATALABS LIMITED
Sample Hashes (SHA-256):
PacketSDK DLL: aef34f14456358db91840c416e55acc7d10185ff2beb362ea24697d7cdad321f
Radish VPN: 59cbdecfc01eba859d12fbeb48f96fe3fe841ac1aafa6bd38eff92f0dcfd4554
Luna Proxy: 01ac6012d4316b68bb3165ee451f2fcc494e4e37011a73b8cf2680de3364fcf4Recommendations
- Avoid applications offering payment for "unused bandwidth"
- Use only official app stores and verify VPN providers
- Ensure Google Play Protect is enabled on Android devices
- Purchase connected devices only from reputable manufacturers
- Block listed C2 domains at network perimeter
