Google has announced a major cybersecurity victory after successfully dismantling one of the world’s largest and most covert residential proxy networks. The operation was led by the Google Threat Intelligence Group (GTIG) in collaboration with industry partners and targeted a notorious network known as IPIDEA, which had been quietly operating for years.
According to Google, the network exploited millions of Android smartphones and Windows computers, secretly converting them into internet proxies. These compromised devices were then used by cybercriminals to route malicious traffic, effectively hiding the true origin of cyberattacks behind legitimate residential IP addresses.
In a detailed blog post, Google explained how residential proxy networks operate and why they pose a serious security threat. Such networks are typically unauthorised and unethical services that reroute internet traffic through compromised consumer devices rather than traditional servers.
By using everyday home and mobile IP addresses, attackers can make harmful activity appear legitimate, making detection significantly more difficult for cybersecurity systems.
Residential proxy networks are commonly used to support a wide range of cybercriminal activities, including:
Credential stuffing attacks
Account takeovers
Content scraping
Ad fraud and financial fraud
Because the traffic looks like it is coming from real users rather than data centres, malicious actions often bypass standard security filters.
Google revealed that the IPIDEA network spread through a mix of malicious Android applications and proxy software installed on Windows PCs. These apps were primarily distributed outside official app stores, including through third-party websites and platforms that lack rigorous security screening.
Once installed, the malware ran hidden services in the background, allowing attackers to relay traffic through the infected devices without the owners’ knowledge.
One of the most concerning aspects of the operation was its stealth. Google said the proxy activity was often invisible to users and showed no obvious signs such as excessive battery drain or unusual data usage. This allowed compromised devices to remain part of the network for extended periods.
To avoid detection, the operators also obscured their command-and-control infrastructure, making it harder for researchers and security tools to trace malicious traffic back to its source.
To dismantle IPIDEA, GTIG and its partners identified the command-and-control servers that coordinated the proxy network. Google then worked closely with infrastructure providers and domain registrars to disable the domains and servers responsible for issuing commands and routing traffic.
This action effectively cut off communication between the attackers and the compromised devices, rendering the proxy network unusable.
Google also said it updated its internal detection systems to identify similar proxy-based malware more quickly in the future. These enhanced signals are designed to spot recurring tools and techniques used to build residential proxy networks, helping prevent large-scale abuse before it spreads.
Google emphasised that fighting illicit proxy networks requires collaboration across the tech ecosystem. In its statement, the company said:
“We encourage mobile platforms, ISPs, and other tech platforms to continue sharing intelligence and implementing best practices to identify illicit proxy networks and limit their harms.”
The comment highlights the growing importance of information-sharing between technology firms, internet service providers, and cybersecurity researchers as cyber threats become more sophisticated.
The disruption of IPIDEA is significant because residential proxy networks are increasingly used in large-scale cybercrime operations. With attackers exploiting consumer devices instead of traditional infrastructure, the line between legitimate and malicious traffic has become harder to draw.
By taking down one of the largest known networks of this kind, Google has not only disrupted ongoing cyberattacks but also raised awareness about the risks posed by unofficial apps and unverified software downloads.
Google’s takedown of the IPIDEA proxy network marks a major step forward in the fight against large-scale cyber abuse. By secretly hijacking Android phones and Windows PCs, the network enabled cybercriminals to mask malicious activity behind trusted residential IP addresses.
Through coordinated action, infrastructure shutdowns, and improved detection systems, Google and its partners have significantly weakened this threat. The incident serves as a reminder for users to download apps only from trusted sources and for the tech industry to continue collaborating to combat evolving cyber risks.