Emerging ThreatsMalware & Ransomware

US IP Addresses Fuel Proxy Services for Cybercrime

Analyst 207||Source: InfoSecMag
Suburban homes with visible Wi-Fi routers and cables leading to a utility pole or small server.

"An estimated 20 million or more connections end up as proxies," the nonprofit Digital Citizens Alliance reports in Cybercrime by Doorbell — and, the group warns, many of those connections originate in ordinary U.S. households that do not know how their bandwidth and IPs are being repurposed.

Digital Citizens Alliance and risk3sixty investigation

Digital Citizens Alliance, working with cyber investigation firm risk3sixty, conducted a joint probe of residential proxy services and the underlying IP infrastructure. The researchers analyzed IP connections across seven proxy providers and tracked 26 million unique residential IPs over a 30‑day period. They found that 80% of connections they observed were linked to residential addresses and that 85% had been flagged as likely associated with fraud.

The study also found widespread reuse of addresses: nearly half of the 26 million unique residential IPs appeared across multiple proxy providers during that month. Digital Citizens Alliance framed the overlap as evidence that, once acquired, addresses are shared across multiple platforms and repeatedly used by nefarious actors.

Residential proxies: from ad verification to state and criminal misuse

The report notes that proxy services were originally introduced for legitimate business-oriented tasks such as ad verification and geo‑testing of websites. But the investigation concluded those same channels are "increasingly used by state actors and cybercriminals alike."

Investigators singled out services such as Honeygain as popular ways for people — students, for example — to earn extra money by sharing unused bandwidth for a fee. The report states investigators "observed the connections made on shared bandwidth included connections between the service and entities in China and Russia - including traffic tied to a bank sanctioned by the US Department of the Treasury."

Digital Citizens Alliance also reviewed dark‑market activity and found that around half of the 42 dark web markets they inspected included proxy service listings, linking commercial proxy ecosystems directly into illicit marketplaces.

Supply chains: fake VPN apps, pre‑infected devices and "Digital Blood Diamonds"

The report describes multiple supply routes that feed proxy services. Some residential IPs are sold knowingly by users who sign up for legitimate proxy programs. Many others, the report says, are acquired after users download fake VPN apps or install pre‑infected devices such as BADBOX.

Digital Citizens Alliance used a pointed metaphor to describe the trade: it called illicit IP connections the "blood diamonds of the digital age." The report argued that "the retailers who ultimately sell IP connections to businesses, state actors and cybercriminals may not have sourced the connections, but they are part of an ecosystem built on deception and crimes."

Recommendations for home users

  • Use IP security check tools like Grey Noise or Spur to analyze whether an IP connection is part of a residential proxy network and compromised.
  • Avoid streaming devices that claim to provide free content; those devices may contain malware that hijacks IP connections.
  • Be skeptical of "free" apps that may hijack connections for use in cybercrime.
  • Replace routers or household devices older than 5–7 years, which the report says will be unpatched and exposed.
  • Change default admin usernames and passwords on all devices in the home.

What this means for technologists, policymakers, and end users

Technologists and security teams should note the report's technical signals: high residential linkage (80%), high fraud‑flags (85%), and the tendency for IPs to appear across multiple providers. Those patterns support focused use of IP‑reputation tools such as Grey Noise and Spur to detect compromised addresses.

Policymakers and regulators are given a clear framing in the report: the organizations behind it say the network of compromised devices, disguised data centers and overlapping criminal operations "represent a serious threat to national and economic security." That language places this as a cross‑cutting concern, not merely a consumer‑privacy issue.

End users and households are urged to treat free‑content streaming devices and free apps with skepticism, to replace old routers, and to change default device credentials — concrete steps the report lists as ways to reduce the risk that a home connection will be harvested into proxy markets.

The Digital Citizens Alliance report paints a marketplace that blends legitimate and illicit demand, retail channels and dark markets, and millions of U.S. residential connections that may be diverted without owners' knowledge. Whether retailers, app stores, device vendors or proxy platforms will alter practices in response is the next practical question the report leaves on the table — but its central fact is stark: tens of millions of U.S. IP connections are circulating in proxy ecosystems the report says are used by state actors and cybercriminals.

Source: Infosecurity Magazine — Twenty Million US IP Connections Used by Proxy Services

CybercrimeEmerging ThreatsMalware OperationsResidential ProxiesProxy ServicesUS IP AddressesDigital Citizens Alliancerisk3sixtyNonprofit Investigation
Related Intelligence

Continue Reading

Smart TV on an entertainment center in a living room with ambient daylight and low-utility apps on the screen.

Smart TVs Compromised by Proxyware Vulnerabilities Plague 24-Year-Old Curl AI Emerges in Cybercrime Forums Hackers Exploit Microsoft Teams Legacy Credentials Fuel Data Breaches

Over a third of smart TV apps, including clocks, screensavers, and games, contain residential proxy software, putting your device at risk. Researchers found that 42.5% of LG webOS and 26.9% of Samsung Tizen apps harbour these vulnerabilities.

Analyst 207
Crowded sports arena with spectators and staff, subtle tech infrastructure in background.

ShinyHunters Breach Exposes Madison Square Garden Data

A recent cyberattack by ShinyHunters has exposed sensitive data from Madison Square Garden, highlighting a growing concern about cyber risk in the professional sports industry. The breach, which included over 26 million records, is a stark reminder of the importance of robust cybersecurity measures.

Analyst 207
Empty hospital corridor with people in distance, blurred laptop screen on nearby desk, conveying concern and unease.

Ransomware Attacks Surge Across Europe

Ransomware attacks are surging across Europe, with a staggering 55.1% year-over-year increase in just the first four months of 2026, averaging 171 incidents per month. Five key countries - Germany, the UK, France, Italy, and Spain - are bearing the brunt, accounting for 70% of all recorded attacks.

Analyst 207
Dimly lit workspace with laptop screen showing system failure messages, surrounded by clutter and blurred office background.

Gaslight Malware Exposes AI-Assisted Analysis Limits

Meet Gaslight, a sneaky new macOS malware that uses fake system-failure messages to trick AI-powered analysis tools into doubting themselves. Created by North Korea-aligned threat actors, this Rust-based implant is a clever and concerning threat to cybersecurity.

Analyst 207