The Rise of Residential Proxies - Why We Can't Trust IP Addresses Anymore

Remember when we could block bad traffic by just checking an IP address? Those days are gone. The rise of residential proxies, especially mobile proxies like those from Proxidize, has changed the security landscape forever.

Why is this a problem now?

Residential proxies use real household IP addresses to route traffic, making it look like it comes from normal homes rather than data centres. Companies like Proxidize have made it simple for anyone to set up mobile proxies using Android phones or USB modems.

As I've been saying in my presentations at AISA and other security conferences, these proxies "masquerade internet usage as originating from residential and office networks," which means they bypass most security tools that organisations rely on for protection.

What's changed recently is how accessible these proxies have become. Proxidize offers kits that let anyone set up a proxy farm - from 5-modem kits at $499 to 80-modem setups for around $6,000. They've created a plug-and-play system where you can be up and running "in less than 60 seconds."

Proxidize users process an estimated 80 billion records combined every single day. Yes, you read that right, 80B+ Records Scraped Daily.

Even more concerning, Proxidize and similar companies are marketing this as a "passive income opportunity," where people can earn money by setting up proxy farms and selling access to others. In their recent webinar, they announced plans for a "Proxidize Grid" marketplace where users can sell their proxies with "a single click through an automated Marketplace."

The BYOD mobile proxy revolution

Companies like iProxy.online have taken this a step further with a Bring Your Own Device (BYOD) approach. Rather than requiring specialised hardware, they let customers turn any Android device into a mobile proxy.

As Sabir, the cofounder of iProxy.online, explained in a recent interview, "You can install iProxy app here and in the dashboard you have proxy access like Socks5, HTTP accesses, and traffic goes through your device."

This means anyone with an old Android phone and a SIM card can create their own mobile proxy, dramatically lowering the barrier to entry. For around $59 per month (based on Proxidize's pricing), users get access to what Sabir calls "precious" mobile IP addresses.

Why are mobile IPs so valuable? As Sabir explains: "If you have Barcelona, we are here in Barcelona and you have like 2 million people living there and you have like several thousands of IP addresses from your mobile providers. And one IP address is shared by many. By thousands of people... And if you have mobile IP address, this cannot be blocked by Facebook or Instagram or any other services because in this case, like innocent people, like thousands of them will be blocked."

This carrier-grade NAT (CGNAT) technology means mobile IP addresses are shared across thousands of users, making them nearly impossible to block without affecting legitimate users.

What this enables attackers to do

With residential proxies, attackers can:

1. Hide behind legitimate IP addresses that security systems trust
2. Bypass geo-restrictions to attack from what appears to be a local source
3. Distribute attacks across thousands of residential IPs to avoid detection
4. Make malicious traffic look like it comes from normal users

In my work at Peakhour.IO, we've seen a rise in attacks originating from these residential proxies. The Chinese state-sponsored group Camaro Dragon showed the potential of these proxies when they developed custom firmware for TP-Link routers, turning them into residential proxies for their operations. This method let them bypass traditional defences like GeoIP blocking because the traffic appeared to come from normal homes.

The even more concerning trend is that these proxies are becoming commoditised. You no longer need to be a nation-state actor to leverage them. Anyone with a few hundred dollars can set up a residential proxy farm or use services like iProxy.online to route their traffic through mobile networks.

How it enables data exfiltration

Data exfiltration becomes much harder to detect when residential proxies are involved. State-sponsored actors like Volt Typhoon have used compromised network devices to "proxy all network traffic to targets through compromised SOHO network edge devices."

This means stolen data travels through home routers or office equipment before reaching the attacker, making it nearly impossible to trace. Since the traffic appears to come from thousands of different legitimate sources, traditional data loss prevention tools struggle to identify and block the exfiltration.

I've worked with organisations that have suffered breaches where data was exfiltrated through residential proxies. In these cases, the traffic blended in with normal home user traffic, making it extremely difficult to detect. These weren't sophisticated nation-state attacks—they were conducted by ordinary cybercriminals using commercially available residential proxy services.

How it enables credential stuffing and other attacks

Credential stuffing attacks have hit Australian businesses hard, with companies like The Iconic, Guzman y Gomez, Dan Murphy's, and others falling victim. These attacks work because attackers can distribute their login attempts across thousands of residential IP addresses.

When an attack comes through residential proxies, each login attempt appears to come from a different legitimate user. IP-based rate limiting fails because no single IP shows suspicious volume. Even when security teams try to block suspicious regions, proxies let attackers appear to be local customers.

According to our research at Peakhour.IO, traditional IP intelligence services are failing to detect these proxies. Tests we conducted showed that top providers like Maxmind detected 0% of residential proxies, while even the best performer, IP Quality Score, only identified 24%.

The numbers are staggering. We've seen cases where up to 40% of traffic to Australian e-commerce sites consists of bots using residential proxies for credential stuffing, price scraping, and inventory checking. This not only puts customer accounts at risk but also distorts analytics and wastes marketing budgets on fake traffic.

The TCP/IP fingerprinting challenge

One aspect of mobile proxies that makes them even more effective is the ability to match TCP/IP fingerprints with the purported device. As Sabir from iProxy.online explains:

"In some cases, your fingerprint, TCP fingerprint should match to your user agent. For example, if you like pretending to be a Mac user or iOS user or Windows user, your TCP fingerprint should be matched with your browser fingerprint."

This level of sophistication means that even advanced detection mechanisms that look for mismatches between TCP/IP fingerprints and browser types can be bypassed.

Anybody can now set them up

The barrier to entry for setting up residential proxies has dropped to almost nothing. Companies like Proxidize market their products as simple to use, with statements like "Start using Proxidize in less than 60 seconds."

There are YouTube videos showing how to earn "passive income" by setting up proxy farms. One video explains how hosts can earn "$200 a month minimum" by hosting Proxidize hardware in their homes.

With iProxy.online, it's even simpler—just install an app on an Android phone, and you have a mobile proxy. As Sabir explains, "Actually your expenses are like you pay like for the SIM card, you pay a small subscription fee to the service and you just... That's it. It requires like one minute of work just to download an app."

This accessibility means that the use of residential proxies is no longer limited to nation-states and sophisticated cybercriminal organisations. It's now within reach of anyone with basic technical skills.

The solution: per-connection detection

The rise of residential proxies means we can no longer rely on IP reputation databases to identify threats. As I've been explaining in my talks, "Residential proxies pose a significant challenge to traditional defense mechanisms... making malicious traffic appear legitimate."

What we need instead is per-connection detection that looks at network behaviour patterns rather than just IP addresses. At Peakhour.IO, we've developed techniques that stack detections on all layers to provide comprehensive detection and mitigation.

One particularly effective technique we've found is analysing protocol behaviour. When traffic passes through a residential proxy, there's often a detectable differences between network signatures (which comes from the proxy) and the application (which comes from the third-party application).

These techniques can identify proxy connections even when they come from legitimate residential IP addresses, giving us a fighting chance against this new wave of threats.

A call to action for Australian businesses

If you're an Australian business, especially in e-commerce, financial services, or any industry that relies on user accounts, you need to take the residential proxy threat seriously.

Traditional security approaches based on IP reputation, geolocation, and rate limiting are no longer sufficient. You need to implement per-connection detection that can identify residential proxy usage regardless of the source IP address.

At Peakhour.IO, we've seen too many organisations fall victim to attacks that could have been prevented with the right detection mechanisms. Don't wait until you're the next headline about credential stuffing or data exfiltration.

IP addresses alone can no longer tell us who to trust. We need to look deeper at each connection to protect our systems and data in this new reality of proxy networks.