Google’s Threat Intelligence Group (GTIG) and industry partners took coordinated legal and technical action to disrupt IPIDEA, described as one of the world’s largest residential proxy networks used to mask malicious activity behind legitimate household and small-business IP addresses. Google reported pursuing court action to seize/take down domains used to command infected devices and manage proxy traffic, while also sharing intelligence about IPIDEA software development kits (SDKs) with platform providers, law enforcement, and researchers to enable broader enforcement.
Google said the operation significantly degraded IPIDEA by reducing the available pool of proxy devices by millions, with impact likely extending to affiliated/resold proxy services that share infrastructure. On Android, Google expanded protections via Google Play Protect, including alerting users, removing apps known to include IPIDEA SDKs, and blocking future installation attempts on certified devices. Reporting linked IPIDEA SDKs to enrollment of devices into multiple botnets (including BadBox 2.0, Aisuru, and Kimwolf) and noted GTIG observed 550+ threat groups using IPIDEA exit nodes over a seven-day period in January 2026; affected devices reportedly spanned smartphones, Windows PCs, and other consumer hardware, with US/Canada/Europe residential IPs particularly sought after.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Finland's National Cyber Security Centre said detections of IPIDEA-related activity increased in Finland in early 2026. The advisory described IPIDEA as abusing consumer devices via malicious apps, SDKs, and low-cost Android TV hardware to build a residential proxy network also used to help mask malicious traffic and support DDoS activity.
After the disruption, Lumen still observed around 5 million distinct bots communicating with IPIDEA command-and-control servers, indicating the operation had substantial but incomplete impact. Google described the action as a meaningful partial step against a resilient ecosystem of proxy brands, affiliates, and shell entities.
As part of the disruption effort, Google updated Google Play Protect to warn users, remove apps containing IPIDEA SDKs, and block future installation attempts on certified Android devices. Google said these actions removed millions of proxy-capable devices from the network and reduced IPIDEA's available proxies by an estimated roughly 40%.
Google, working with partners including Cloudflare, Lumen Technologies' Black Lotus Labs, and Spur, carried out a coordinated disruption of the IPIDEA residential proxy network using legal action, technical enforcement, and intelligence sharing. The effort targeted domains used to command infected devices and manage proxy traffic, significantly degrading but not fully eliminating the network.
Before the takedown, Lumen Technologies' Black Lotus Labs observed about 8.5 million proxies connecting daily to IPIDEA servers and estimated the true population at roughly 10 to 11 million devices. Google and partners also linked IPIDEA infrastructure and SDKs to botnet enrollment activity including BadBox 2.0, Aisuru, and Kimwolf.
During a seven-day period in January 2026, Google Threat Intelligence Group observed more than 550 tracked threat groups using IPIDEA-associated residential proxy exit-node IPs. The activity included SaaS access, password spraying, and operations linked to actors associated with China, North Korea, Iran, and Russia.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
kyberturvallisuuskeskus.fi
Open sourcecyberscoop.com
Open sourceinfosecurity-magazine.com
Open sourcego.theregister.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.