Cybercriminals are increasingly leveraging residential proxy networks to mask their activities, making it challenging for security teams to detect malicious behavior. These proxies route traffic through everyday consumer devices, such as home routers and IoT gadgets, causing malicious actions to appear as if they originate from legitimate residential users.
Unlike commercial VPNs, which signal anonymized connections, residential proxies make traffic seem like it’s coming from genuine home users. This characteristic complicates detection efforts, as noted by Infoblox researchers. Their analysis revealed that over 65% of their cloud customers connected to residential proxy services, with DNS queries to proxy-related domains escalating from approximately 300 billion per month in early 2025 to over 500 billion by April 2026.
Alarmingly, residential proxy traffic was present across all industry sectors examined, including pharmaceuticals, food and beverage, electronics, industrial, and healthcare. At least 40% of customers in each sector were affected, indicating the pervasive nature of this issue.
Many devices become part of these proxy networks without owners’ knowledge, often through free streaming apps, browser extensions, or bundled software kits. This unintentional enrollment creates significant security blind spots. For instance, the Gress service, which converts unused bandwidth into cryptocurrency rewards, was reportedly pre-installed on Android TV streaming devices, enrolling users into the proxy network without their awareness.
Threat actors exploit residential proxies to disguise malicious traffic, allowing them to conduct credential stuffing, account takeovers, ad fraud, and reconnaissance while appearing as legitimate household devices. This tactic enables them to bypass IP reputation systems designed to flag datacenter IPs and known threat sources.
Infoblox also observed a significant spike tied to a specific orchestration domain used by proxy networks. On a single day in January 2025, the number of customer networks querying that domain increased by over 250, highlighting the rapid expansion and adoption of these services.
As cybercriminals continue to exploit residential proxies, it’s imperative for organizations to enhance their detection capabilities and implement robust security measures to mitigate these evolving threats.
Source: Cyber Security News
