Security researchers reported that residential proxy networks are increasingly being used to route malicious traffic through legitimate home internet connections, helping attackers evade IP reputation controls while making abuse appear to come from ordinary consumers and organizations. Infoblox said more than 65% of its cloud customers queried domains tied to residential proxy services in 2026, with monthly DNS traffic rising from roughly 300–400 billion queries in early 2025 to more than 500 billion by April 2026, affecting every industry vertical examined, including healthcare, pharmaceuticals, banking, government, electronics, food and beverage, and industrial sectors. The company also observed no meaningful drop after disruption efforts against IPIDEA, and recorded a 265% single-day spike in queries to ipinfo[.]ipidea[.]io on January 23.
Separate telemetry from Gen Digital linked residential proxy traffic to 7.4 million malicious incidents affecting 572,000 users since January 2026, with notable concentration in India, Vietnam, and Brazil. Researchers said devices are often enrolled through pay-for-bandwidth apps, free VPNs, browser extensions, bundled SDKs, preinstalled Android TV software, IoT devices, malware, and potentially unwanted applications, sometimes without clear user consent. The reports warn that these networks are being used for phishing, credential stuffing, account takeover, ad fraud, scams, scraping, and reconnaissance, while shifting legal, reputational, and performance risks onto households and enterprises whose IP addresses become exit nodes. Recommended mitigations include Protective DNS, DNS log reviews, auditing apps and browser extensions for embedded proxy components, inspecting connected devices, and removing unknown or suspicious software.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Gen Digital published a report warning that consumer devices and home internet connections can be turned into residential proxy exit nodes through apps, bundled SDKs, or malware, exposing households to attribution, security, and reputational risks.
Infoblox published research stating that more than 65% of its Threat Defense Cloud customers queried domains associated with residential proxy networks in 2026, with exposure spanning all industry verticals examined.
By April 2026, Infoblox said monthly DNS traffic to proxy-related domains had grown to more than 500 billion queries, reflecting continued expansion of residential proxy activity across customer networks.
In March 2026, the FBI warned that threat actors were compromising consumer internet-connected devices and routing malicious traffic through home IP addresses to evade detection. The warning highlighted neglected or low-cost devices such as routers, modems, streaming boxes, smartphones, tablets, and digital picture frames as common targets.
Infoblox observed a 265% single-day increase in customer networks querying ipinfo[.]ipidea[.]io on January 23, describing it as an anomaly around the IPIDEA disruption.
Gen Digital said that since January 2026 it observed 7.4 million malicious incidents tied to residential proxy traffic affecting 572,000 users, with activity concentrated in countries including India, Vietnam, and Brazil.
Infoblox said action was taken against the residential proxy service IPIDEA in January 2026, but observed no meaningful decline in related residential proxy traffic afterward.
Infoblox reported that DNS queries to domains used to access or orchestrate residential proxy networks began a steady rise starting in January 2025, eventually reaching more than 500 billion monthly queries by April 2026.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
osintteam.blog
Open sourcecybersecuritynews.com
Open sourcegendigital.com
Open sourceinfoblox.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.