Residential Proxies: The “Legal” Botnet That Nobody Talks About

How we got here

If I were to say that a new botnet has compromised over 70 million devices world-wide, it would be front-page news. At the very least, it would be trending within most security communities. Luminati has a current claim of 70 million clean IPs available for their proxy network. Oxylabs says 100 million. Both networks source their IP pool from SDKs embedded in mobile, browser, or desktop applications. Why are Luminati and Oxylabs ignored by the security community?

This blog post will dive into the specifics of residential proxy botnets networks and cover how they are sourced and what they are used for.

What are Residential Proxy Networks?

A long time ago, there primarily existed datacenter proxies. Web crawlers, scrapers, etc. would utilize these networks to vary their geographic location and provide them with some IP diversity. However, datacenter IP space is very easily known. Sites that wanted to prevent abuse or automated activities could easily push a CAPTCHA and stop the activity. No matter how sophisticated your technique, if you relied on datacenter proxies, it would be detectable.

The residential proxy networks were born out of the need to look more legitimate. These proxy companies use various methods gain access to get residential IP space from providers such as Comcast or Verizon. This allows the customers of these proxy network companies to better blend their traffic with the traffic of real users.

How are the networks sourced?

Every proxy network is different. Some are compromised routers. Some attempt to be more legitimate by leveraging SDKs and gaining consent through the terms of service. In general, these are the strategies that are used to gather IPs:

  1. Compromised devices (e.g TDSS botnet sources AWM proxy)
  2. Mobile SDKs
  3. Browser Extensions
  4. Desktop SDKs

Some of these networks are more forward with their consent. For instance, when installing Hola VPN on your phone, it immediately asks you for permission to use background data. In this case though, Luminati and Hola are the same company. For proxy services such as Infatica, consent may be completely hidden in the terms of service. Their method is providing monetization for free browser extensions. The developers themselves make it hard to know what is happening. Here is a recent example of a browser extension adding in the Infatica SDK but being less than straight forward about it.

While most of these networks do seek consent from the affected people, they vary in degree of effort to notify the users. Do you know if that Android app you just installed has an SDK embedded? Many free VPNs contribute users to these proxy networks. If you look at this VPN, can you tell that you are about to contribute to SOAX? You would have to go read their terms of service. Even if you do read their TOS, do you understand what is meant by sharing your bandwidth with a residential proxy? How would a typical user understand that they could have their ISP cancel their service from abuse complaints or even have a visit from law enforcement due to the activity they let happen?

How big are these networks?

Take a look at each of the networks we track below. We may not have perfect visibility into each network but it should help give an idea of the scale. Click the drop down and select different networks. Take a look at WONDEREZPROXIES, and WEBSHARE if you want an idea of what a typical datacenter proxy looks like.

Since most of these methods involve proxying through specific devices, every network that the device connects to will be affected. If you connect your phone to your work network, you may be inadvertently allowing a user of one of these proxies access to your secured network. By installing free extensions on your work laptop, you may also be allowing these networks access. The charts below show how many of the fortune-100 companies have devices within their networks. As a caveat, ISPs are likely to be residential customers that are affected. Disney appears to be their parks and hotels. Many of the retail companies are their store locations with customers connecting to the free Wi-Fi.

What are the networks used for?

What do these proxy customers do with all of this IP space? Well, it definitely depends. Here is what Spider says their customers use them for:

If you want to do something more abusive, check out AWM proxy. They have a proxy package that allows you to send mass mailers.

They are not the only ones that allow this. Services like Sockshub and RSocks both allow for spam and even advertise that they allow it.

Recently, we helped a customer track down a string of fraudulent events within their e-commerce platform. The common thread: luminati proxy. Although Luminati uses a strict Know Your Customer (KYC) model, accidents happen and criminals get access.

Why should I care?

So far, you might be thinking: “Yes, these networks are big and I might be affected. But so what?” Here are a few reasons that you should care whether you are currently enabling a proxy network through your devices.

They are a security threat

Metasploit and other tools can easily be used through the proxy provider’s SOCKS5 tunnel which could lead to internal compromise of your network

You are allowing third parties access to your network

  • Not just the proxy company but their customers as well.
  • Not all residential proxy services block internal IP space.
  • You may be allowing scraping of intranet content.

They are using your bandwidth

  • If it is on a mobile device, your Verizon bandwidth is being used which may directly cost you money. Or it goes against your quota.

Could tie you to illegitimate activity

  • If your home IP begins sending spam mail, you could be negatively impacted. It will be hard to prove that it was not you that performed this action.
  • If your work laptop is affected, you could face issues with your employer for illegitimate activity that is linked back to you on their corporate network.
  • Not only should you be concerned about this for your own personal network, but for any other network your devices connect to. BYOD policies lead to these same risks potentially happening in your employer’s networks

As an online vendor, why should you be worried about residential proxies?

  1. Not everyone is who they claim to be. We have worked with financial institutions that identified ATO from IPs that are close to the victim. Residential/malware proxies enabled the attacker to come from the same IP block as their victim.
  2. Sophistication for anonymous users has increased. You now have to look for more than just VPNs or datacenter space. The same activity you stopped from VPN users can now come from these proxies.
  3. Geo Spoofing. It is now easier than ever to appear as a user in any country’s residential IP space. This ties back to the ATO from above.


Residential proxy networks have grown in popularity recently. They are enabling their customers to circumvent access restrictions, send spam, and even commit fraud. You may unknowingly be supporting these networks with the browser extensions you install or the mobile apps you download. Although not exactly a botnet, it is an interconnected, peer-to-peer system that is powered by millions of devices of which many are unwitting.

If you want to see whether we label your current IP as a residential proxy, be sure to check out and for JSON.

Similar articles