Who Are The Victims of Residential Proxies?

Synthient’s Research Team systematically monitors the SDK ecosystem, analyzing outbound traffic patterns to assess the role of residential proxies in spam, credential stuffing, and ad-fraud operations. Although residential proxy providers have expanded rapidly over the past decade, often citing demand from AI and Big Data applications, our analysis indicates that these claims are overstated. The majority of observed proxy traffic continues to facilitate abuse targeting financial institutions, advertising networks, and e-commerce platforms. This report was done in collaboration with Infoblox with them publishing their own report seeking to add further context to “Who are the victims of residential proxies”.

This report pulls data from Helios, our proxy SDK tracking platform, which monitors the largest proxy SDKs and the egress of traffic from those providers. We showcase these findings to highlight the continued exploitation and targeting of vulnerable devices on local area networks (LAN) and the substantial volume of fraudulent traffic originating from residential proxies.

Synthient encourages defenders to think beyond traditional IP risk data. Residential proxy detection requires a multifaceted approach that leverages multiple tiers of data and detection methods. This report underscores the countermeasures required by private industry, as well as the growing need for regulation in this space.

In the last several years, AI has grown significantly, and proxy providers have been quick to capitalize on this trend. Many of the largest proxy providers have updated their public-facing branding to highlight AI, implying it is a primary use case for their residential proxies. This shift in messaging has been seen almost universally; for example, HK Network (IPIDEA) used similar framing prior to its recent takedowns by Google.

Fig 1.0. Proxy providers and the focus towards AI.

While Synthient’s Research Team recognizes that AI brings significant revenue into the space, this narrative also allows proxy providers to “wash” their public image, obscuring the true nature of their traffic. This report documents this reality through the analysis of outbound traffic from several of these SDKs.

Methodology and Scope

This report is based on outbound traffic collected from various proxy SDKs. Synthient’s Research Team collects this data in bulk for high-risk providers, enabling organizations to identify and correlate abuse on their platforms. Our analysis mainly focuses on the outbound traffic from Popa, one of the largest proxy botnets. Synthient’s Research Team observed devices connected to this botnet routing traffic for both IPIDEA and Netnut.

Built off the Back of Consumers

As previously documented, the residential proxy ecosystem is largely built on the backs of unconsenting users through mobile apps, TV boxes, or infected routers. Synthient’s Research Team estimates that 70-80% of proxy SDKs operate on Android-based operating systems. Many publishers and providers target Android applications specifically because of the lack of stringent security measures.

2.0 Piracy related apps pushing proxy SDKs onto unconsenting users.

As demand for clean IP’s have grown, approaches to acquiring these IPs have evolved significantly. Actors now use BadBox-type devices to establish long-term persistent backdoors. Proxy providers often utilize Pay-Per-Install (PPI) programs to deploy their SDKs at scale.

Fig 3.0. Pay Per Install actors approaching proxy services with lucrative offers.

With many of these malicious illicit streaming devices listed on popular online storefronts, consumers unknowingly purchase them and inadvertently contribute their network bandwidth to these residential proxy pools. To add further fuel to the fire, these devices are produced without basic security measures, making them easily compromised and used at the forefront of DDoS botnets.

Fig 4.0. Malicious Illicit Streaming Devices Pushed on online storefronts to acquire Residential IP. (Human)

The Targets of Residential Proxies

In May, Synthient observed approximately 9.2 million unique domains and subdomains targeted by residential proxies, ranging from government websites to e-commerce platforms. While the majority of these domains receive negligible proxy traffic, the bulk of the activity is directed toward “high-value” targets such as Ticketmaster, Google, and Walmart. Another common target category includes domains that resolve proxy IP addresses, such as httpbin or ip-api.

Fig 5.0. Breakdown by category of outbound traffic from Popa botnet.

When breaking down the outbound traffic from the Popa botnet, Video Streaming & Media accounted for an overwhelming 41.0% of the targeted domains. Synthient’s Research Team infers with moderate confidence that a large portion of this traffic is a mix of scraping, credential stuffing, and botting. Threat actors frequently target streaming services to execute account takeover (ATO) attacks and subsequently resell premium subscriptions on illicit markets. These assumptions also apply to non-advertising domains, as many of these platforms possess large communities built around scraping data or purchasing retail products.

6.0 Breakdown of targeted domains from Popa botnet.

Of the ad-based traffic (9.3%), the majority is associated with ad-fraud. Specific publishers attempt to artificially inflate their traffic to increase their payouts. Most of this fraudulent advertising traffic targets major providers such as Appsflyer, Google, and Microsoft, using residential proxies to appear as legitimate users.

Fig 7.0. Ad-fraud campaigns leveraging residential proxies to appear legitimate.

When compared this to data collected from the month of February with IPIDEA, we see Ad-Fraud (Appsflyer), LAN exploitation (xd[.]resi[.]to) and credential stuffing (imap[.]comcast[.]net) taking the lead by far. This highlights the significant influence single high paying clients have to the outbound traffic of proxy-sdks.

8.0 Breakdown of targeted domains from PacketSDK (IPIDEA).

Old Methods, New Actors

Following the disclosure of Kimwolf’s use of residential proxies to compromise vulnerable devices, new botnets such as Potassium, Katana, and Drifter have been observed leveraging LAN exploitation to achieve dominance in the botnet space. This persistent targeting has made port 5555 (ADB) the third most popular port for outbound traffic from the Popa botnet, behind ports 80 (HTTP) and 443 (HTTPS). Notably, Port 5555 is the default port for the Android Debug Bridge (ADB), making poorly secured Android devices (such as TV boxes) prime targets for compromise.

Fig 9.0. Port 5555 exploitation over time from Popa botnet.

Many of these threat actors have added their own spin to the exploit by using custom honeypot checks, removing competing botnets, and exploiting new methods to circumvent traditional blocks. The slow decline in exploitation attempts highlights the oversaturation of the space as threat actors slowly cannibalize the very space of vulnerable devices. With many actors applying firewall rules, accidentally bricking devices, and killing competing botnets the amount of devices continues to dwindle.

Fig 10.0. Actors leveraging their own domains and bypasses for device exploitation.

• Website owners must deploy multi-faceted solutions that extend beyond traditional IP reputation blocklists. To effectively counter this threat, organizations require comprehensive behavioral analytics and real-time proxy intelligence. Synthient encourages organizations to leverage advanced solutions such as JA4+, Synthient's proprietary Helios Tool, and real-time proxy feeds. Website owners can also monitor how their domains are targeted using Synthient’s Free Context Lookup Tool.
• Organizations should use DNS and IP-based blocklists from providers such as Infoblox to reduce the risk posed by unregulated network traffic. As demonstrated by the continued exploitation of LAN devices post-disclosure, this internal network risk remains highly relevant.
• Consumers can check if their IP address belongs to a residential proxy network by visiting https://synthient.com/check. If the result is positive, and the user is not on a NATted network or using a dynamic IP address, they should immediately audit their network devices and installed applications. Victims are also encouraged to file an IC3 complaint.

As it stands today, the residential proxy ecosystem is largely unregulated. The majority of providers profit by acquiring large swaths of residential IP space at the expense of consumers and their devices. Because these platforms frequently utilize resellers to side-step responsibility, compromised devices are commonly observed contributing to ad-fraud, credential stuffing, and further device compromise. With proxy providers maintaining a significant presence on corporate networks, this risk is exponentially amplified. Organizations must invest in improving their security posture and can no longer ignore the growing threat posed by residential proxy networks.

In addition to sharing the domain dataset of targeted domains we are publishing an updated list of URLs and IP addresses taking part in the LAN exploitation along with the Popa botnet C2 servers on GitHub.