Google and partners disrupted IPIDEA, described as one of the world’s largest residential proxy networks, which routed attacker traffic through millions of consumer devices acting as proxy “exit nodes.” Google Threat Intelligence Group (GTIG) reported that in a single seven-day period in January 2026, 550+ tracked threat groups used IPIDEA-linked IPs to obfuscate operations including access to victim SaaS environments, intrusion activity against on-premises infrastructure, and password-spray attacks; activity was attributed across multiple geographies including China, DPRK, Iran, and Russia. IPIDEA allegedly enrolled devices via SDKs embedded in mobile and desktop applications, including trojanized apps and “bandwidth monetization” lures, enabling the sale of residential IP space that can be abused for credential abuse, scraping, ad fraud, phishing, and C2 evasion.
The disruption effort included legal action and domain takedowns against infrastructure used to control devices and proxy traffic, with reporting indicating IPIDEA’s primary site became inaccessible and that the action degraded the available device pool by millions. Google also implemented ecosystem enforcement measures, including Google Play Protect blocking/removing apps containing IPIDEA SDK components, and shared intelligence intended to reduce re-enrollment and impact related proxy operators that rely on shared/resold device pools and rebranded services (e.g., 360 Proxy, Luna Proxy). Separate reporting tied abuse of residential proxy services like IPIDEA to botnet activity (e.g., AISURU/Kimwolf) and highlighted the user risk of having home networks unknowingly used for third-party traffic, increasing exposure to compromise and reputational harm.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Google assessed that the operation degraded IPIDEA by reducing its available device pool by millions, with possible downstream impact on affiliated proxy operators that relied on shared or resold device pools.
Google updated Google Play Protect to warn users and, on certified Android devices, automatically remove apps containing IPIDEA code while blocking reinstallation attempts. Google also identified hundreds of Android apps, and one report said more than 600 apps across sources connected to IPIDEA infrastructure.
As part of the disruption, Google shared technical information on IPIDEA infrastructure and SDKs with platform providers, research partners, and law enforcement to support broader mitigation and follow-on action.
Google announced a coordinated disruption of IPIDEA, taking legal action to seize or take down domains used for command-and-control, infected-device management, proxy routing, and marketing of the service. The company said the action targeted one of the world's largest residential proxy networks and was carried out with industry partners.
In a seven-day period in January 2026, Google Threat Intelligence Group observed more than 550 tracked threat groups using IPIDEA-associated exit nodes for activity including password spraying, SaaS access, on-premises targeting, botnet operations, and traffic obfuscation.
Google said it had already taken legal action in July 2025 against alleged China-based operators tied to IPIDEA, an earlier step in its effort against the residential proxy ecosystem.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
8 references tracked. Mallory keeps watching after this page renders.
kyberturvallisuuskeskus.fi
Open sourcesecurityonline.info
Open sourcescworld.com
Open sourcebleepingcomputer.com
Open sourcehelpnetsecurity.com
Open sourcesecurityaffairs.com
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.