Getty Images
Millions of devices, previously exploited as proxies by cybercriminals, espionage groups, and data thieves, are no longer in use after Google targeted IPIDEA, a China-based residential proxy network. Google’s Threat Intelligence Group (GTIG) initiated legal actions and shared intelligence to disrupt the company’s domain infrastructure, as detailed in a recent blog post.
This operation, supported by Cloudflare, Lumen’s Black Lotus Labs, and Spur, damaged a portion of IPIDEA’s proxy infrastructure. Such coordinated efforts against malicious networks demonstrate the persistent challenge faced by threat intelligence teams in dismantling extensive and evolving cybercriminal operations.
Early reports suggest a reduction of approximately 40% in IPIDEA’s proxy network.
Chris Formosa, a senior lead information security engineer at Lumen Technologies’ Black Lotus Labs, noted that around 5 million unique bots were still communicating with IPIDEA’s command and control servers, indicating the network retains a significant volume of proxies.
Before the domain takedowns, Lumen observed an average of 8.5 million proxies daily connecting to IPIDEA’s servers. Formosa estimated the actual number of proxies was likely between 10-11 million, with Lumen’s visibility capturing 8.5 million.
Google researchers identified multiple proxy and VPN brands that appeared independent but were actually controlled by IPIDEA. Investigations revealed several domains owned by IPIDEA that supported SDKs for residential proxies, which were integrated into existing applications.
Developers incorporating these SDKs into their applications receive payment from IPIDEA, usually per download. According to Google’s report, these SDKs are crucial for residential proxy networks, as the software they are embedded in supplies network operators with the vast number of devices required to sustain such a network.
While residential proxy networks can have legitimate uses, researchers have consistently warned that unethical or criminal entities exploit these networks to create and maintain botnets, conduct cybercrime, engage in espionage, and facilitate other harmful activities.
Charley Snyder, a senior manager at GTIG, stated that the residential proxy industry is growing quickly, with GTIG’s research suggesting that most of this expansion is driven by malicious applications. GTIG’s findings indicate that these proxies are predominantly misused by malicious actors.
Many service providers are reportedly bundling proxy malware within software downloads, leading users to unknowingly allow proxy networks to commandeer their internet bandwidth for concealing cybercrime.
Earlier this month, Google detected over 550 distinct threat groups, including those from China, North Korea, Iran, and Russia, utilizing IP addresses identified as IPIDEA exit nodes over a week. These groups reportedly accessed victim cloud environments, on-premises infrastructure, and launched password-spray attacks.
Security teams and cyber authorities are increasingly focusing on the underlying systems and infrastructure that facilitate cybercrime, aiming to restrict resources and intensify pressure on these illicit operations.
Snyder explained that by targeting the tools criminals employ, rather than solely the criminals, defenders can inflict substantial, difficult-to-recover costs on the cybercrime ecosystem.
Google’s actions successfully cut the command-and-control connections between operators and millions of devices, and dismantled associated storefronts, thereby undermining IPIDEA’s efforts to build brand recognition and market presence.
Despite Google’s significant impact on IPIDEA’s infrastructure, the broader struggle against this company and similar entities persists.
Snyder described the ecosystem as highly complex, involving numerous brands and shell entities. He acknowledged the disruption’s significance but emphasized that the ecosystem’s reliance on anonymity and shared resources means it has endured previous takedowns, indicating ongoing efforts are necessary.
