The War on Residential Proxy Networks

Financial institutions have long relied on network‑based controls to keep criminals out of Internet Banking systems and other critical infrastructure. But those controls are becoming less effective as criminals increasingly hide behind residential proxy networks. These networks make fraudulent activity appear as if it’s coming from a normal household Internet connection, rather than an obviously suspicious source.

Many households are unknowingly enrolled in residential proxy networks. This can happen when people:

• Download free or inexpensive software
• Install browser extensions
• Purchase low‑cost smart devices (video cameras, smart TVs, IoT gadgets)

These products can intentionally include hidden proxy code because the developer profits from selling access to the user’s connection. In other cases, the developer is unaware because hackers may have injected the proxy code somewhere in the software or device supply chain. Once installed, this code allows the device to quietly accept and relay Internet traffic as if it originated from the home network.

Operators of residential proxy networks sell access to these “clean” home IP addresses. Their biggest customers? Criminals trying to evade fraud detection. To the security systems at your institution, the traffic appears to be coming from a normal residential user, not a fraudster on the other side of the world.

Residential proxy networks themselves aren’t illegal. Only the criminal behavior routed through them is. To legally dismantle one, an organization must:

1. Prove the network is primarily used for criminal purposes
2. Present the case in court
3. Obtain authorization to take down the domains the network uses

Few organizations have the resources to pursue this work. Google is one that does, and recently disrupted a massive residential proxy network known as IPIDEA, which consisted of millions of compromised devices.^[1]

To help fight the war against residential proxy networks, institutions can do a few things. First, awareness is a powerful defense. Help people understand that “free” software or cheap IoT devices may come with hidden costs—like unintentionally helping criminals.

You can also encourage customers and employees to check whether their home IP address is associated with proxy traffic by browsing to https://check.labs.greynoise.io/. The site will immediately indicate whether the current IP has been flagged.

Another thing institutions can do is to help legislate. There is growing recognition that the current takedown process is too slow and too complex. Sezaneh Seymour recently recommended that Congress create a specialized Article I court dedicated to domain takedowns.^[2] Such a court would:

• Have judges and staff with the technical expertise required
• Use streamlined, standardized procedures
• Make it easier for organizations to initiate legal action against criminal domain networks

Encouraging your Representatives to support this kind of reform could help make it significantly easier to disrupt these proxy networks in the future.

Residential proxy networks are making fraud prevention more challenging and more complex for financial institutions. But through better education, stronger advocacy, and greater awareness, your institution can take meaningful steps to reduce risk and support industry‑wide efforts to combat this growing threat.