Cybercriminals are increasingly leveraging residential proxy networks to mask their malicious activities, posing significant challenges for security teams. These networks route internet traffic through everyday consumer devices, such as home routers and IoT gadgets, making malicious actions appear as if they originate from legitimate residential users.
Unlike commercial VPNs, which signal anonymized connections, residential proxies make traffic seem like it’s coming from genuine home users. This characteristic complicates detection efforts, as traditional security measures often fail to flag such traffic.
Research by Infoblox revealed that over 65% of their cloud customers were connecting to residential proxy services. DNS traffic to proxy-related domains surged from approximately 300 billion queries per month in early 2025 to over 500 billion by April 2026. This trend was observed across various industries, including pharmaceuticals, electronics, and healthcare, indicating the widespread nature of the issue.
Many devices are enrolled into proxy networks without the owners’ knowledge, often through free streaming apps, browser extensions, or bundled software kits. This unintentional participation creates security blind spots, as users remain unaware that their devices are being exploited.
Threat actors favor residential proxies because they allow malicious traffic to blend seamlessly with legitimate activity. IP reputation systems, designed to flag datacenter IPs and known threat sources, often overlook traffic from residential IPs. This oversight enables attackers to conduct credential stuffing, account takeovers, ad fraud, and reconnaissance while hiding behind real household devices.
Notable cases include services like Gress, which converts unused bandwidth into rewards and was reportedly pre-installed on Android TV streaming devices, enrolling users into the proxy network without their awareness. Another service, Honeygain, pays users to share their residential IPs as proxy exit points and operates a product called CrBuzz that donates a portion of revenue to charity.
Infoblox also observed a significant spike tied to a specific orchestration domain used by proxy networks. On a single day in January 2025, the number of customer networks querying that domain increased by over 250, highlighting the rapid expansion and adoption of these services.
The exploitation of residential proxy networks underscores the evolving tactics of cybercriminals and the need for enhanced security measures. Organizations must remain vigilant, regularly update their security protocols, and educate users about the risks associated with seemingly benign applications and services that may enroll their devices into proxy networks without consent.
