Google has announced a significant disruption of IPIDEA, identified as one of the world's largest residential proxy networks. This operation, involving legal action and intelligence sharing, has severely degraded the network's infrastructure and business operations, reducing the available pool of hijacked devices by millions. IPIDEA facilitated a wide range of malicious activities, from cybercrime and espionage to information operations, by routing traffic through compromised consumer devices.

Key Takeaways

• Google, in partnership with other entities, has successfully disrupted the IPIDEA residential proxy network.

• The operation involved taking down control domains and sharing technical intelligence.

• Millions of devices previously used by IPIDEA have been removed from its network.

• IPIDEA's infrastructure was exploited by over 550 threat groups globally.

• Google Play Protect has been updated to detect and remove apps containing IPIDEA code.

How IPIDEA Operated

IPIDEA functioned by enrolling consumer devices into its network, turning them into "exit nodes" that routed traffic for malicious actors. This was achieved through software development kits (SDKs) embedded in applications, often disguised as utilities, games, or even VPNs. Users might unknowingly download these applications, or in some cases, knowingly install them by being lured with promises of earning money by sharing their "unused bandwidth."

These residential proxy networks are distinct from data center proxies because they utilize IP addresses assigned by Internet Service Providers (ISPs) to actual homes and small businesses. This makes malicious traffic harder to detect and block, as it appears to originate from legitimate user connections.

The Scope of IPIDEA's Network

Google's investigation revealed that IPIDEA controlled numerous proxy and VPN brands, including 360 Proxy, 922 Proxy, ABC Proxy, Door VPN, Galleon VPN, and Radish VPN, among others. The network utilized a two-tier command-and-control (C2) system, with approximately 7,400 Tier Two servers globally managing traffic routing. The SDKs, such as Castar SDK, Earn SDK, Hex SDK, and Packet SDK, were marketed to developers as a monetization tool, often paid on a per-download basis.

Impact and Mitigation Efforts

In a single week in January 2026, Google Threat Intelligence Group (GTIG) observed over 550 threat groups, including those from China, North Korea, Iran, and Russia, leveraging IPIDEA's exit nodes for activities like accessing victim SaaS environments, compromising on-premises infrastructure, and conducting password spray attacks. The network was also implicated in facilitating botnets such as BADBOX 2.0, Aisuru, and Kimwolf.

Google's response included legal action to seize control and marketing domains, sharing intelligence with platform providers and law enforcement, and updating Google Play Protect to automatically warn users, remove malicious applications, and block future installations on certified Android devices. The company also partnered with entities like Cloudflare, Spur, and Lumen's Black Lotus Labs to amplify the disruption.

Sources

• Google Disrupts IPIDEA — One of the World's Largest Residential Proxy Networks, The Hacker News.

• Disrupting the World's Largest Residential Proxy Network, Google Cloud.

• Google Disrupts IPIDEA Proxy Network, SecurityWeek.

• Google Dismantles World's Largest IPIDEA Residential Proxy Network In Major Takedown, Cyber Press.