Researchers Uncover ProxySmart Software Powering 90+ SIM Farms
Infrawatch researchers have identified ProxySmart, a Belarus-based software platform that provides a turnkey 'SIM Farm as a Service' solution, powering over 90 phone farms across 17 countries and 19 US states.
Cybersecurity researchers have uncovered a Belarus-based software platform that is helping SIM farm operators support cybercrime on an 'industrial scale.' In a new report published on April 21, Infrawatch said it had identified 87 instances of ProxySmart control panels in 17 countries and 94 phone farm locations. These farms are located across 19 US states, as well as countries in Europe and South America.
'ProxySmart is publicly associated with a Belarus-based vendor footprint and offers an end-to-end stack for operating and monetizing a physical farm, including device management, automated IP rotation, customer provisioning, plan enforcement, and anti-bot countermeasures,' the report explained. 'Technical analysis indicates operator capabilities consistent with large-scale evasion enablement, including automated IP rotation, remote device control, and network fingerprint spoofing.'
SIM farms enable a range of cybercrime activity such as smishing, premium-rate number fraud, bot sign-ups, and one-time password interception. They can also be used by nation states, with the Russian authorities using them to spread disinformation in Ukraine. A large percentage of this ecosystem is managed by ProxySmart, effectively enabling 'SIM Farm as a Service,' Infrawatch claimed.
Sold to farm operators via a pricing model dependent on SIM count, ProxySmart provides an end-to-end platform for operating and monetizing mobile proxy infrastructure, including farm management, device control, customer provisioning, retail proxy sales, and payment handling. It is accessible via a web-based control panel and is typically self-hosted by the farm operator, with a reverse proxy deployed in front of the panel to disguise its location.
ProxySmart supports physical smartphones and USB 4G/5G modems, with the former enrolled via an unsigned Android APK downloaded from the operator's site, and the latter managed by the open source ModemManager. 'Both device types are orchestrated by the ProxySmart backend service, which Infrawatch observed to be implemented in Python and heavily obfuscated by PyArmor,' the report continued. IP rotation for phones is enabled by automatically toggling airplane mode on/off for three seconds, forcing a reconnection to the cellular network and a reassigned egress IP.
There is support for several tunneling and proxy protocols including OpenVPN, SOCKS5, VLESS, and HTTP proxies, and an OS spoofing feature that lets farm operators simulate other OS TCP fingerprints such as macOS, iOS, Windows, and Android through the web panel. 'Infrawatch assesses this ecosystem materially lowers the barrier to operating and reselling mobile proxy infrastructure, with limited evidence of meaningful eligibility checks across many downstream providers,' the report concluded.
ProxySmart technical consultant and PR lead, Alex Zak, reached out to Infosecurity claiming Infrawatch published its findings without contacting the developer. He stated: 'ProxySmart is a data-path proxy management layer, not a SIM farm. It has no voice primitives, no SMS origination, no interconnect functionality – the technical capabilities that define the infrastructure dismantled in the Europol and Secret Service cases the research references. Our deployments run on IoT-class cellular equipment authorized by the carriers themselves, in stock configurations, not the amplifier-heavy rack hardware used for SIM-box fraud.'