Hackers Weaponize Residential Proxy Networks to Evade Detection at Massive Scale
Infoblox reports that over 65% of its cloud customers connect to residential proxy services, with DNS queries to proxy domains surging from 300 billion to 500 billion monthly by April 2026.
Hackers are increasingly abusing residential proxy networks to route malicious traffic through legitimate home internet connections, making their activity appear to originate from ordinary household devices rather than criminal infrastructure. This technique allows attackers to bypass traditional IP reputation systems, which are largely designed to flag datacenter IPs and known threat sources, while a home IP from a legitimate ISP often passes those checks without friction. The result is a growing blind spot for security teams, as malicious traffic blends in with normal user behavior.
Researchers at Infoblox examined residential proxies across their cloud customer networks and found the results alarming. According to a Infoblox report shared with Cyber Security News, over 65% of their cloud customers were making connections to residential proxy services. The team observed DNS traffic to proxy-related domains growing from around 300 billion queries per month in early 2025 to over 500 billion per month by April 2026. The scale of the problem surprised even seasoned analysts, with residential proxy traffic appearing in every industry vertical examined, including pharmaceutical, food and beverage, electronics, industrial, and healthcare companies.
What makes the situation more complicated is that not all residential proxy use is intentional. Devices are frequently enrolled into proxy networks without the owner's knowledge, often through free streaming apps, browser extensions, or software kits bundled inside popular applications. One notable case involves a service called Gress, which converts unused bandwidth into rewards and pays users in cryptocurrency tokens. Gress was reportedly found pre-installed on Android TV streaming devices, enrolling users into the proxy network without their awareness. Another service, Honeygain, pays users to share their residential IP as a proxy exit point.
Threat actors value residential proxies because they give malicious traffic a clean disguise. This allows attackers to conduct credential stuffing, account takeovers, ad fraud, and reconnaissance while hiding behind a real household device. Infoblox also observed a striking spike tied to a specific orchestration domain used by proxy networks. On a single day in January 2025, the number of customer networks querying that domain jumped by over 250, an anomaly that proxy space experts could not readily explain. That spike coincided closely with action taken against IPIDEA, a major proxy service, suggesting displaced traffic quickly redistributed across other providers.
Detecting residential proxy traffic is inherently difficult because it is designed to blend in. Traffic arrives from real home IP addresses tied to legitimate ISPs, so traditional blocklists and geolocation filters offer limited protection. Content filtering policies are also applied unevenly, since malicious domains may be handled differently depending on each organization's security setup. Infoblox recommends that defenders use Protective DNS to block queries to known proxy orchestration domains, which function similarly to command-and-control infrastructure in traditional malware campaigns.
Teams should also audit DNS query logs for traffic to known proxy domains and review browser extensions and consumer apps on corporate devices for embedded proxy SDKs. Checking IP addresses against external resources that track residential proxy usage can help surface exposure that would otherwise go unnoticed. The report highlights specific orchestration domains such as ipidea[.]net and ipinfo[.]io as indicators of compromise.
Residential proxies are no longer a niche tool reserved for a small group of sophisticated actors. They are now embedded in everyday applications used by millions of people, and organizations that overlook this risk face a significant gap in their defenses. As the volume of proxy-related DNS queries continues to climb, the security community must adapt detection strategies to account for this pervasive and evolving threat.