Google’s threat intelligence team this week carried out an international operation to dismantle the world’s largest network of residential proxies, a key infrastructure in digital criminal activities on a global scale.The objective of the action was IPIDEA, a network little known outside of technical areas but essential for hiding illegal operations behind apparently legitimate connections.
Residential proxies differ from conventional proxies because they use IP addresses assigned to homes and small businesses instead of data center servers.The responsible software is installed on everyday devices such as phones, smart TVs or routers, and allows cybercriminals to camouflage their activity under the guise of ordinary traffic.
This method makes detection and blocking by authorities and cybersecurity companies difficult, since the connections appear to come from real users.
IPIDEA maintained its network through millions of residential IP addresses, mainly in countries such as the United States, Canada and Europe, regions considered more reliable by security systems.Network operators obtained these addresses through two main methods: by deliberately installing proxy software on devices or by tricking users into downloading applications with hidden code.
There was also the variant of users who, attracted by the promise of income from sharing their bandwidth, voluntarily installed the software, without knowing its implications.
Google discovered that the façade of privacy and freedom of expression used to promote these services contrasted with reality.During a single week in January 2026, the Google team identified more than 550 threats using IPIDEA IP addresses.
Among the malicious actors detected were groups linked to China, North Korea, Iran and Russia.Illegal activities carried out using these connections ranged from unauthorized access to enterprise cloud environments to brute force attacks against password managers.
Google’s analysis revealed that many proxy and VPN programs, which appeared to be independent, were controlled by the same people responsible for IPIDEA.Among the names identified are 922 Proxy, Luna Proxy, Cherry Proxy and VPN services such as Galleon VPN and Radish VPN.
Additionally, these operators managed software development kits (SDKs) designed to integrate into third-party applications, offering payments to developers for each download and thus transforming users’ devices into nodes for the proxy network.
Google’s operation identified more than 600 Android applications with code intended to connect to the IPIDEA infrastructure.These applications, ranging from utilities to games and content platforms, used SDKs to increase their revenue at the expense of user security.As a result of the blockades implemented, millions of devices have become unavailable to the operators of this clandestine network, which represents a strong blow to the cybercrime ecosystem.
Users affected by these programs face various risks.By sharing your IP address, your devices can be used as a platform for illegal activities without your knowledge, exposing you to potential investigations or slowdowns of your networks.Additionally, installed software introduces additional vulnerabilities, increasing exposure to other types of cyberattacks.
Despite the success of the operation, IPIDEA still retains access to devices in different parts of the world.Google warns about the danger of installing applications that promise payments in exchange for sharing “unused bandwidth” or “shared internet.”For connected devices, such as television decoders, the recommendation is to only purchase products from recognized manufacturers and avoid downloading unverified applications.
The partial dismantling of the IPIDEA network marks a milestone in the fight against cybercrime, but also underlines the importance of prevention and digital education to prevent millions of home devices from continuing to be used in illicit activities on a global scale.
