ResProxies – What Hasn’t Been Herd Yet

Residential proxies (called ResProxies) are often known as privacy tools or legitimate business enablers. But behind the benign or even "ethical" veneer, lies a murky, deeply entrenched supply chain that is connected with cybercrime and other nefarious activities. Our team has spent a year analyzing this landscape and discovered an architecture (comprising elements we call "herds") that creates resilience and digital obfuscation through deceptive practices, malware, and a thriving underground economy, which in turn supports a range of criminal conduct. Today, we are pulling back the curtain by explaining the architecture our analysis lays bare-from the compromised endpoint groupings we call herds to their middleware infrastructure-and how that is distributed to the reseller marketplace.

What Are ResProxies¹?

A ResProxy is software that runs on your phone, computer, or Internet of Things (IoT) device, designed to relay other people's internet traffic through your connection. It is designed to leave no trace of its activities and quietly launders that traffic-making the outside world believe your device is the initiator of that traffic.

Put another way, ResProxies are like forged return addresses on envelopes-someone else's internet traffic is rerouted through your connection. It's as if someone mailed a letter using your address without your knowledge, and the digital location of the original sender's connection is masked and untraceable.

If you've seen the movie Catch Me If You Can, you'll remember how Frank Abagnale Jr. impersonated professionals and slipped through security by blending in just enough to seem legitimate. ResProxies operate on a similar principle. They allow attackers to "wear" someone else's digital identity-using your IP address to mask theirs-so they can move through the internet undetected.

These proxies are created through several methods:

• Opt-in apps or browser extensions that quietly share your bandwidth. You may have seen offers to "earn beer money" or "get paid to share your internet." What they don't tell you is that if you accept that seemingly benign offer, thousands of strangers could be routing their traffic through your internet connection, masquerading as you.
• Malware that silently turns your device into a ResProxy node, without even the uninformed "opt-in" consent just mentioned. This is common on compromised computers, phones, outdated routers, and even infected streaming devices.
• Bundled software that buries ResProxy permissions in the fine print. Increasingly, free mobile games and apps appear to use this tactic as an alternative to generating revenue with ads.

Because they use real IP addresses, the activities from these ResProxies are incredibly difficult to detect or block. The traffic they send blends in with legitimate traffic. While in some cases they are used for good, like privacy or journalistic purposes - it's also why they have become a far more significant source of decidedly malicious conduct.

How Threat Actors Use ResProxies

ResProxies have become a go-to tool for threat actors and cybercriminals-a kind of Swiss Army knife for evasion and insidious anonymity. Cybercriminals use ResProxies to route their internet activity through clean IP addresses often in residences or small businesses. A login that appears to come from a quiet suburban home might instead be coming from a credential-stuffing bot halfway around the world.

ResProxies are being used today for the following types of problematic activities:

• Credential stuffing and brute-force attacks: ResProxies allow attackers to rotate IPs rapidly, bypassing rate limits and lockout mechanisms.
• Phishing and identity theft: Malicious actors use ResProxies to host phishing infrastructure or interact with stolen accounts without triggering geolocation-based alerts.
• Ad fraud: By simulating real user traffic, ResProxies are used to inflate ad impressions, clicks, and engagement metrics-seemingly costing advertisers billions.
• Spam and fake account creation: ResProxies help automate the creation and management of fake social media, email, and e-commerce accounts at scale.
• Data exfiltration: Threat actors use ResProxies to smuggle stolen data out of compromised networks, making attribution and tracing more difficult.
• Malware distribution and Command and Control (C2) obfuscation: ResProxies serve as intermediaries between infected devices and C2 servers, hiding the true location of threat actors.
• Web scraping and competitive intelligence: ResProxies are used to harvest data from public and private sources, often violating terms of service.
• Bypassing geo-blocking and content restrictions: Attackers use ResProxies to misrepresent their location allowing access to region-locked services or facilitating localized phishing campaigns.
• Stalking and surveillance: ResProxies reportedly also play a role in targeted abuse cases - masking the identity of individuals conducting surveillance or harassment online.
• Human trafficking and illicit trade: In the darkest corners of the web, ResProxies are used to anonymize access to illegal marketplaces and communication platforms.

These real world, active use cases continue to evolve, and at the same time, are becoming increasingly difficult to trace back to their source. The use of ResProxies allows attackers to cloak their digital attacks, copyright violations, and worse within your legitimate internet traffic. As a result, services like webmail, social media, shopping, and banking websites are left with the burden of trying to filter the bad while allowing the good. But when both types of traffic come from an IP infected with a ResProxy, it can be nearly impossible to distinguish signal from noise-especially without advanced detection capabilities. Such detection capabilities are therefore what we at Comcast have started to develop.

The Hidden Supply Chain: Herds, Resellers, and the B2B ResProxy Market

Most websites that advertise ResProxy services are not the original source of the IPs they sell. They are resellers-the public-facing storefronts of a much larger and more opaque business-to-business (B2B) ecosystem.

Behind every reseller is a network of ResProxy suppliers, many of whom operate in the shadows. These suppliers control what we refer to as herds-groups of infected or co-opted devices managed in a coordinated way.

Each herd comprises tens of thousands of compromised endpoints-- in some cases topping hundreds of thousands. The endpoints are devices such as:

• Video streaming devices (especially secondhand or off-brand devices)
• Mobile phones
• Computers (especially those that have downloaded unlicensed or "pirated" games or apps)
• IoT devices (especially off-brand devices)
• Networking equipment (especially unpatched devices)

Inmany cases, the prime targets for exploitation are off-the-shelf consumer electronics devices that are unpatched, insecure, or end of life and no longer actively supported, or where the manufacturer has not prioritized security. These are easily susceptible to malware, which is a major source for ResProxies. But even more secure devices can be exploited if the customer "opts in" through vague terms in a digital download or app, by agreeing to a shady offer to "share internet" services or the like.

A note of distinction : At Comcast, we invest in the security of the products we build. Our gateways are rigorously tested and regularly patched. Comcast conducted the research discussed here to expand our understanding of state-of-the-art digital threats thus ensuring our managed devices are as secure as possible. However, the consumer electronics market is vast-and many off-the-shelf devices from other sources, especially outdated devices, lack the same protections. This makes them prime targets for exploitation.

Once enrolled into ResProxy networks, the devices become drones, advertised and sold to paying users-- some innocuous but many illicit. The ResProxy resellers typically advertise their services as "ethical," "compliant," or "opt-in," notwithstanding that the sourcing relies on multiple herds with questionable, or downright malicious, origins.

The Bidding Layer: A Dark Auction for Bandwidth

Demand for anonymized internet access by fraudsters, cybercriminals, and some legitimate users -feeds the entire supply chain.

Based on our analysis of the architecture and data we have gathered from expert sources here's how the money flows:

• Buyers pay resellers for access to IPs available within a ResProxy network
• Resellers use that revenue to purchase or bid for access to one or more herds of infected devices
• Herd operators (we call these "wranglers") use their earnings to maintain infrastructure, recruit new devices, and advertise their inventory to resellers

This creates a dark auction house for bandwidth, where access to compromised devices is sold in real time. Like any market, price is determined by supply and demand. Most buyers likely value IP addresses with clean fraud scores, low latency, and high bandwidth connections.

In this model:

• Resellers compete for fresh IPs based on price, volume, and geographic targeting
• Wranglers will logically prioritize high-paying or high-volume buyers
• The same IP may be sold to multiple resellers, increasing the risk of abuse

This creates a hidden marketplace where your home IP could be quietly sold to the highest bidder (or bidders), without your knowledge or consent. Resellers come and go-but the herds persist.

Over the past several years, multiple ResProxy resellers whose proxies were being used for illicit conduct have been taken down through legal enforcement actions. This is an important and commendable part of the process but often fails to remove the underlying issue.

Our research shows that the underlying herds-the true source of ResProxy traffic-often remain intact even when a reseller is taken down. These herds continue to operate quietly in the background, supplying new resellers as they emerge. In many cases, the same herd may support multiple resellers simultaneously or shift to new front-end brands after a takedown.

Following the BadBox disruption activities, the IPIDEA herd appears to have suffered a corresponding 50% reduction in size while key components of the herd infrastructure remained intact. Within a month, the herd recouped 50% of its losses.

This separation between ResProxy infrastructure (herds) and distribution (resellers) is by design. By keeping the operational and commercial layers distinct, wranglers insulate themselves from legal enforcement, blur Know Your Customer (KYC) boundaries and can create resilient infrastructure. They allow the front-line resellers to absorb legal risk, while the core engine of the ResProxy ecosystem continues to run-often for years.

Strategies for Defenders, Regulators, and Policymakers

The core tension in modern identity and access management is that users expect seamless access from anywhere, on any device, but defenders must detect abuse and introduce friction without disrupting legitimate behavior.

ResProxies exploit this ambiguity. They allow attackers to operate within the same behavioral envelope as real users-often from the same geographic region, using similar device fingerprints, and accessing the same services. This makes detection and bans difficult and even makes it hard to quantify the extent of the problem. Furthermore, the ResProxy software used to enroll devices into herds is often lightweight, evasive, and leaves almost no trace in system logs. Detection is rarely possible in the field. Only through careful lab analysis of malware samples and network traffic can defenders begin to unravel how these systems operate.

This is why IP-based heuristics alone are no longer sufficient. Effective detection requires multi-dimensional analysis-correlating device history, behavioral patterns, session timing, and even subtle protocol-level signals.

These insights have major implications for how we mitigate ResProxy abuse:

• Targeting resellers is not enough. We must work together to identify and dismantle the herds themselves
• Malware analysis and infrastructure mapping are critical to uncovering the true operators behind proxy networks
• International cooperation is essential. These networks intentionally span borders, and so must our response
• ISPs and tech platforms must collaborate to share telemetry and disrupt ResProxy traffic at the source

The Comcast Threat Research Lab has done tremendous work to be able to actively track ResProxy herds, resellers, and the broader ecosystem in real time. Our approach combines advanced malware analysis with a suite of defensive techniques tailored to this evolving threat landscape.

We curate and maintain internal threat intelligence feeds which include items such as dynamic listing of ResProxy infrastructure and Indicators of Compromise (IOCs).

What's Changing in 2025

The ResProxy landscape is evolving quickly. Key trends include:

• AI-enhanced proxy management: Attackers are using artificial intelligence to rotate ResProxies, mimic human behavior, and further avoid detection
• 5G and mobile IPs: The rise of mobile and 5G networks is making IP rotation faster and more dynamic
• Decentralized ResProxy networks: Some ResProxy services appear to now operate without central control, making takedowns harder
• ResProxy-as-a-service platforms: These services offer access to millions of residential IPs with targeting by country, city, or ISP

Final Thoughts

While the work of the CTRL team has improved visibility into the emerging threats posed by ResProxies, our ability to mitigate them remains constrained. These threats originate from devices that fall outside Comcast's ownership and management and also originate on other provider networks across the ecosystem, limiting our capacity to take direct action. However, we hope that sharing what we have learned will help defenders everywhere.

ResProxies are no longer a niche concern. They are a core part of the evolving cybersecurity threat landscape. The cyber community from CISOs to cyber defenders need to understand how they work, how they're evolving, and how to manage the risks they introduce.

Whether you're building detection pipelines, advising legal teams, or shaping policy, ResProxies should be on your radar in 2025.

¹ The word "residential" in the name "Residential Proxy" can be a misnomer - as the proxies can exist on devices in residential, business, institutional, and other types of premises. The cyber threat community lumps all these under the title ResProxy, and we will follow suit here for clarity.