Cybersecurity researchers warn that attackers are increasingly hiding malicious web traffic within seemingly ordinary internet connections. In other words, the bad data is “hidden in plain sight.” Rather than relying on shady web hosts, many cybercriminals now route malware or phishing traffic through networks of real home devices or consumer gadgets. These “residential proxy” services make nefarious activities appear like everyday browsing, work, or streaming. In effect, they create a nearly invisible cloak around attacks.
From Bulletproof Hosting To Proxy Networks
For decades, criminals relied on so-called bulletproof hosting: web servers in permissive jurisdictions that ignored takedown notices and law enforcement requests. Bulletproof hosts leased space to criminals and “turned a blind eye” to illicit content such as spam, malware command servers, or banned data.
However, that model is fading. Global law enforcement has increasingly targeted these hosting providers, seizing servers and indicting operators. As a result, experts say cybercriminals are abandoning dedicated illicit servers in favour of proxy networks that obscure their traffic.
Longtime researcher Thibault Seret notes that after police cracked down on bulletproof hosts, both criminals and their service providers “migrated to an alternative approach,” using proxies and VPNs to hide malicious traffic. Today’s proxy services rotate and blend customer IP addresses, often without keeping logs.
Seret told WIRED that in such a system, “you cannot technically distinguish which traffic in a node is bad and which traffic is good, because all traffic looks the same to the outside observer.”
In short, once an attacker’s data merges with normal web use, separating the two becomes a nightmare.
Residential Proxies And Consumer Devices
A key tool in this shift is the residential proxy. Unlike a traditional VPN or datacenter proxy, a residential proxy uses real IP addresses assigned by internet service providers (ISPs) to home or office devices.
In practice, this means the proxy network is built on ordinary gadgets: old Android phones, personal laptops, smart routers, and even voice assistants or smart TVs. Malware or proxy apps (sometimes installed without the owner’s knowledge) turn these devices into exit nodes. The result is a decentralised network of endpoints that resemble everyday internet users.
Think of it like this: instead of sending malicious traffic from a suspicious data centre IP, the attack is routed through a random person’s internet connection in, say, Ohio or Spain. To a website or security scanner, the request appears to originate from a legitimate household.
As Trend Micro researchers explain, “A residential proxy is a proxy on an internet-connected device… configured to provide connectivity for third parties,” often without the owner’s awareness.
In effect, criminals “rent” these hundreds of millions of IP addresses to disguise their actions as normal browsing.
This disguise is highly effective. Residential proxy services offer “real, rotating IP addresses assigned to homes and offices… that can run on consumer devices, even old Android phones or low-end laptops.” Such networks offer strong anonymity and can shield malicious traffic by blending it with benign data.
Attackers exploit this to bypass corporate and government scanners. In Seret’s words, “the magic of a proxy service… is you cannot tell who’s who.”
Malware connections now ride along with innocent chat, video calls, or streaming traffic, making red flags nearly invisible.
Modern residential proxy tools even let criminals target specific locations. Reports on the NSOCKS network show it offered proxies by state, city, or even ZIP code. Buyers could purchase a few hours of access (for just a few dollars) to proxy servers in, say, California, and carry out targeted spam or login attacks without raising suspicion. And because these proxies run on home devices, most are never flagged as malicious by security firms.
Cybersecurity firm Lumen Black Lotus Labs found that only about 10% of infected router-based proxies in a large botnet were detected by VirusTotal scanners. This means the other 90% “consistently avoid network monitoring tools with a high degree of success.”
Botnets And Proxy Marketplaces
Behind many residential proxies are botnets of compromised devices. Malware recruits large groups of routers, IoT gadgets, and PCs. One example is the Ngioweb trojan, which has infected tens of thousands of routers and IoT devices worldwide. In late 2024, researchers at Lumen and Cisco Talos reported that Ngioweb was the engine behind NSOCKS, a notorious proxy service.
At least 80% of NSOCKS’s 35,000 active proxies came from devices controlled by the Ngioweb botnet. These machines were then “rented out” on proxy marketplaces, allowing buyers to select exit nodes by city, ISP, or device type. In doing so, they could choose exactly where and how their traffic would appear to originate.
This model has become a lucrative business. The now-disrupted AnyProxy and 5socks services are prime examples. Operating since the early 2000s, they ran botnets of old routers and sold subscriptions granting proxy access to other criminals. In a 2025 FBI-led takedown (Operation “Moonlander”), authorities seized these networks.
Court filings reveal the operators built two proxy networks by infecting thousands of home routers worldwide since at least 2004. They advertised roughly 7,000 proxy IPs and collected around \$46 million in subscriber fees over the years. In essence, a lone criminal could pay a monthly fee and have their traffic routed through dozens of real home IPs, thereby hiding their own device’s identity.
These cases show how consumer devices are being weaponised. Often, the targeted hardware is beyond its support life: old “end-of-life” routers or outdated smart gadgets with known vulnerabilities. Criminals exploit these weaknesses to install proxy malware.
As one Lumen report put it, the malware “steals bandwidth… without impacting end users” to create a stealthy proxy service. The average consumer might not even notice anything amiss. But from a security standpoint, this vast pool of home-based IP addresses is a goldmine for attackers.
The Law Enforcement Challenge
All these advances present a growing challenge for defenders. Traditional security tools rely heavily on IP reputation and traffic patterns. But if malicious traffic blends in with legitimate user behaviour, automated tools struggle to distinguish it. Seret notes bluntly that even large datasets can’t untangle good from bad traffic in these mixed nodes. And because residential proxies use so many different ISPs and geographic locations, an organisation’s blacklist of “bad” IPs becomes far less effective. A Trend Micro study explains that the wide availability of legitimate-looking home IPs has “diminished” the value of blocklists, forcing a shift toward more sophisticated detection methods.
For investigators, attribution becomes a maze. Ronnie Tokazowski of Intelligence for Good points out that if an attack appears to come from the same IP range as a company’s employees, it’s nearly impossible to determine who’s behind it.
In practice, law enforcement often ends up chasing ghosts. Takedown requests to internet service providers are futile when the “bad” traffic routes through dozens of unwitting participants. Even when proxy networks are exposed, dismantling them does not solve the underlying issue. Proxies have become a fundamental part of the internet, used by everyone.
Some progress has been made through international operations. The FBI and other agencies have disrupted major proxy botnets and charged their operators (as with AnyProxy and 5socks), but new ones emerge quickly.
Each takedown reveals only part of the bigger picture. After Moonlander, for instance, Lumen’s analysts warned that similar networks remain hidden, often “cloaked” within ordinary traffic. And because many proxies reside on equipment whose owners have long since stopped updating it, the problem persists at the root of the consumer internet.
A Digital Arms Race
The rapid rise of residential proxy abuse underscores a simple reality: the tools available to criminals are evolving faster than defenders’ playbooks. Cybercriminals have created an invisibility shield that even sophisticated security operations struggle to penetrate. By turning millions of homes into unwitting traffic mixers, they’ve gained the upper hand.
Experts caution that stopping this trend will not be easy. There are no quick fixes. Seret stated that even shutting down one proxy service will not end the problem, because new ones can quickly emerge using fresh devices.
In the meantime, organisations and law enforcement must adapt. Analysts recommend strengthening endpoint defences—by securing routers, IoT devices, and employee hardware—and developing more advanced behavioural analysis to detect anomalies beyond just IP addresses.
Until those defences catch up, much of the internet’s dirty work will remain hidden in the crowd of ordinary traffic. As one cybersecurity team put it, malicious activity “could be hiding right under our noses, disguised as ordinary digital life.”