Ipidea

Ipidea is a Chinese company known for having operated a large residential proxy. Google researchers discovered that Ipidea controlled millions of residential Internet connections through consumer devices, including PCs and smart phones, for use as proxies by other businesses and consumers.[1][2][3][4]

Ipidea maintained control over these residential connections through its own VPN services, as well as through third-party apps that embed its monetisation tools.[4] Google said its actions severed the control that Ipidea had over millions of customer devices, calling it "one of the largest residential proxy networks in the world" as of early 2026.[1][4]

In January 2026, Google obtained a court order to remove dozens of Ipidea-owned domains from the internet.[2]

VPN brands

Ipidea offered VPN services to consumers with "no clear disclosure" that these turned devices into proxy nodes.[5][3]

These brands included:

  • DoorVPN, Galleon VPN, Radish VPN, and Aman VPN (discovered by Google researchers),[4]
  • 922 Proxy, 360 Proxy, and Luna Proxy (reported by Help Net Security).[6]

SDK infrastructure

Beyond its consumer VPN products, Ipidea provided software development kits (SDKs) that were marketed as monetisation tools for third-party app developers.[4] These SDKs supported apps for the Android, Windows, iOS, and LG WebOS platforms.[4]

Developers who embedded these SDKs into their applications were usually paid by Ipidea on a per-download basis.[4] When end users installed those apps, their device was silently enrolled as an exit node for Ipidea's proxy business, typically without the user's knowledge or consent.[7] The SDKs were branded as Castar SDK, Earn SDK, Hex SDK, and Packet SDK.[4]

Google Threat Intelligence Group (GTIG) identified more than 600 Android applications and 3,075 unique Windows binaries that had communicated with Ipidea's control infrastructure.[8] Some of the Windows binaries masqueraded as trusted system tools, including OneDrive Sync and Windows Update.[9] In some cases, cheap Android TV set-top boxes came with Ipidea's proxy software pre-installed.[10]

Technical architecture

Ipidea's proxy network used a two-tier command-and-control (C2) architecture. Infected devices first contacted a Tier One server to receive configuration data and a list of Tier Two nodes. They then connected to a Tier Two server, which assigned proxying tasks and relayed traffic.[11] GTIG identified approximately 7,400 Tier Two servers globally, confirming that despite operating across many distinct brands and domains, the network was centrally managed by a single set of operators.[12]

Ipidea's SDKs played a key role in adding devices to several botnets. In July 2025, Google filed a lawsuit against 25 unnamed individuals or entities in China over the BadBox 2.0 botnet, a network of more than 10 million uncertified Android devices, after identifying links to Ipidea's infrastructure.[13] The Aisuru botnet, whose operators initially used the network primarily for distributed denial-of-service (DDoS) attacks, also leveraged Ipidea's proxy pool.[14]

The Kimwolf botnet separately exploited a vulnerability in Ipidea's infrastructure to tunnel back through the proxy network and compromise local-network devices. Security researcher Brundage of Synthient confirmed on 1 December 2025 that Kimwolf operators were using Ipidea exit nodes to reach Internet of Things (IoT) devices sitting behind home firewalls. By 30 December 2025, Synthient was tracking roughly 2 million Ipidea addresses exploited by Kimwolf in the previous week.[15]

The Register noted that Ipidea not only facilitated cybercriminals seeking anonymity but, in several cases, also enrolled the same devices it recruited into these botnets.[16]

Abuse by threat actors

In a single seven-day period in January 2026, GTIG observed more than 550 individual threat groups using Ipidea exit nodes to obfuscate their activities[4]. These groups included state-sponsored operations linked to China, North Korea, Iran, and Russia. Observed activities included password spray attacks, access to victim software-as-a-service environments, and intrusions into on-premises infrastructure.[17]

Ipidea's response

Ipidea denied Google's allegations of malicious intent. In a statement, the company said it had not been contacted by GTIG before the publication of its report, and that any open network can be maliciously abused by third parties.[18] Ipidea said it operates a know-your-customer (KYC) system with name, ID, and facial recognition verification via Alipay and WeChat's biometric databases, and that it blacklists over 3.4 million high-risk domain names in categories including finance, government, military, and education.[19]

The company also denied being the operator, controller, or technology provider of the BadBox 2.0 botnet, and said it acted quickly to close Kimwolf's access to its proxy pool after receiving a vulnerability report from Synthient in late December 2025. Ipidea stated that the vulnerability had been confined to a legacy testing module and did not inherit the network's internal access restrictions.[20][21]

Industry reaction and ethical debate

The takedown prompted debate about consent standards and ethics across the residential proxy industry. Google's own GTIG blog directly challenged the sector's self-regulatory claims, writing that while many residential proxy providers state they source IP addresses ethically, its investigation found those claims to be often incorrect or overstated, with many of the applications it analysed failing to disclose that they enrolled devices into the Ipidea network.[4]

Proxyway, an independent proxy industry review publication, reported that Ipidea and its related brands had a significant impact on the broader proxy market between 2022 and 2024, with a wave of over 20 Hong Kong-based entrants undercutting competitors on price and popularising unlimited bandwidth plans for a fixed fee.[22]

Proxyway also published an extended list of Ipidea-linked brands than had appeared in Google's own report. Non-exhaustive brands named included 360Proxy, 922Proxy, ABC Proxy, Cherry Proxy, IP2World, IPidea.io, LunaProxy, PIA S5 Proxy, PyProxy, and TabProxy.[23]

In April 2026, Proxyway published a follow-up test of Smartproxy.org, a provider it suspected of being affiliated with the Ipidea cluster on the basis of pricing model, ownership opacity, and marketing characteristics shared with previously identified brands. Routing approximately 7 million requests through the network over a one-week period, the researchers collected a pool of more than 2 million unique IP addresses and compared it against a verified dataset of Ipidea exit nodes. They reported that 773,087 addresses, or 38.21% of the Smartproxy.org pool, overlapped with the Ipidea dataset – an overlap they described as too large to be attributable to the normal rotation of residential IPs between providers, and consistent with either resale of, or sourcing from, Ipidea infrastructure.[24] Proxyway noted that the Smartproxy.org domain was unrelated to the established proxy provider Decodo, which had previously operated at smartproxy.com, and suggested that the similar name was intended to exploit brand recognition.[24] They concluded that although Google's action had seized the most prominent Ipidea-linked domains, the underlying device pool remains in circulation because the SDKs and consumer applications that had enrolled those devices were still installed and active, allowing successor brands to continue routing traffic through the same exit nodes.[24]

Consumer risk

When a device is enrolled as a proxy exit node, third-party traffic passes through it, exposing the device owner to potential reputational harm and ISP blacklisting. GTIG also found that Ipidea's proxy applications not only routed traffic outward through enrolled devices but also received inbound traffic directed at those devices, creating pathways for attackers to move laterally into other devices on the same home network.[25][26]

References

  1. ^ a b "Google disrupts large residential proxy network, reducing devices used by operators by 'millions'". Reuters. January 28, 2026.
  2. ^ a b McMillan, Robert (January 28, 2026). "Google Aims Knockout Blow at Chinese Company Linked to Massive Cyber Weapon". The Wall Street Journal.
  3. ^ a b Toulas, Bill. "Google disrupts IPIDEA residential proxy networks fueled by malware". www.bleepingcomputer.com. Retrieved February 25, 2026.
  4. ^ a b c d e f g h i j "Disrupting the World's Largest Residential Proxy Network". Google Cloud Blog. January 28, 2026. Retrieved January 30, 2026.
  5. ^ Michael Kan (January 28, 2026), "These Free VPNs, Proxies Used by Criminals to Hijack Users' Connections", PC Magazine, Google seizes domains used by the IPIDEA proxy network, which sold access to devices compromised through free VPNs, proxy services, and mobile apps.
  6. ^ Zorz, Zeljka (January 29, 2026). "Google disrupts proxy network used by 550+ threat groups". Help Net Security. Retrieved February 25, 2026.
  7. ^ Lakshmanan, Ravie. "Google Disrupts IPIDEA — One of the World's Largest Residential Proxy Networks". The Hacker News. Retrieved February 25, 2026.
  8. ^ Lakshmanan, Ravie. "Google Disrupts IPIDEA — One of the World's Largest Residential Proxy Networks". The Hacker News. Retrieved February 25, 2026.
  9. ^ Lakshmanan, Ravie. "Google Disrupts IPIDEA — One of the World's Largest Residential Proxy Networks". The Hacker News. Retrieved February 25, 2026.
  10. ^ Lakshmanan, Ravie. "Google Disrupts IPIDEA — One of the World's Largest Residential Proxy Networks". The Hacker News. Retrieved February 25, 2026.
  11. ^ Ćemanović, Amar (January 29, 2026). "Google dismantled IPIDEA, the world's largest residential proxy network". CyberInsider. Retrieved February 25, 2026.
  12. ^ Lakshmanan, Ravie. "Google Disrupts IPIDEA — One of the World's Largest Residential Proxy Networks". The Hacker News. Retrieved February 25, 2026.
  13. ^ French, Laura (January 30, 2026). "Google disrupts IPIDEA residential proxy network used in cybercrime". SC Media. Retrieved February 25, 2026.
  14. ^ "The Kimwolf Botnet is Stalking Your Local Network – Krebs on Security". January 2, 2026. Retrieved February 25, 2026.
  15. ^ "The Kimwolf Botnet is Stalking Your Local Network – Krebs on Security". January 2, 2026. Retrieved February 25, 2026.
  16. ^ "Google cripples IPIDEA proxy network abused by crims". Archived from the original on February 24, 2026. Retrieved February 25, 2026.
  17. ^ "Google busts giant IPIDEA residential proxy network". iTnews. Retrieved February 25, 2026.
  18. ^ "Global proxy operator IPIDEA denies Google's malicious intent allegations". iTnews. Retrieved February 25, 2026.
  19. ^ "Global proxy operator IPIDEA denies Google's malicious intent allegations". iTnews. Retrieved February 25, 2026.
  20. ^ "The Kimwolf Botnet is Stalking Your Local Network – Krebs on Security". January 2, 2026. Retrieved February 25, 2026.
  21. ^ "Global proxy operator IPIDEA denies Google's malicious intent allegations". iTnews. Retrieved February 25, 2026.
  22. ^ "Google Disrupts 10+ IPIDEA-Related Chinese Proxy Providers". Proxyway. Retrieved February 25, 2026.
  23. ^ "Google Disrupts 10+ IPIDEA-Related Chinese Proxy Providers". Proxyway. Retrieved February 25, 2026.
  24. ^ a b c Okunytė, Paulina (April 23, 2026). "Third of these proxy IPs trace back to a botnet network Google just dismantled". Cybernews. Retrieved May 14, 2026.
  25. ^ "Google cripples IPIDEA proxy network abused by crims". Archived from the original on February 24, 2026. Retrieved February 25, 2026.
  26. ^ Lakshmanan, Ravie. "Google Disrupts IPIDEA — One of the World's Largest Residential Proxy Networks". The Hacker News. Retrieved February 25, 2026.

Content Disclaimer

Informasi ini disarikan dari Wikipedia dan disajikan kembali untuk tujuan edukasi. Konten tersedia di bawah lisensi CC BY-SA 3.0. Kami tidak bertanggung jawab atas ketidakakuratan data yang bersumber dari kontribusi publik tersebut.

  1. The information displayed on this website is sourced in part or in whole from Wikipedia and has been adapted for the purpose of restating it. We strive to provide accurate and relevant information, however:
  2. There is no guarantee of absolute accuracy. Wikipedia is an open, collaborative project that can be edited by anyone, so information is subject to change.
  3. It is not intended to constitute professional advice. The content displayed is for informational and educational purposes only. For important decisions (e.g., medical, legal, or financial), please consult a professional.
  4. Content copyright. Wikipedia is licensed under the Creative Commons Attribution-ShareAlike License (CC BY-SA). This means that content may be reused with appropriate attribution and shared under a similar license.
  5. Responsible use. Any risk arising from the use of information from this website is entirely the responsibility of the user.