All Hands on Deck: IPIDEA Proxy Network Disrupted, Swatting Suspects Arrested, Darknet Operators Plead Guilty
Published
Key Takeaways
- Significant Degradation: Google's Threat Intelligence Group reduced the IPIDEA network's available devices by millions, used by over 550 distinct threat groups.
- Two Guilty Pleas: The operator of Kingdom Market pleaded guilty, as did the second charged administrator of the Empire dark net marketplace.
- Swatters Arrested: Authorities in Hungary arrested four young individuals suspected of making false threat calls, including to schools and residential buildings.
In a major operational strike, Google and industry partners disrupted the IPIDEA residential proxy network, significantly degrading its scale and availability across the U.S., Canada, and Europe. The large residential proxy network widely used by threat actors to mask their digital footprints functions by routing traffic through legitimate residential IP addresses, making malicious activity appear as benign traffic from homes and businesses.
Meanwhile, four young swatting suspects from Hungary and Romania were arrested, a Kingdom Market operator and the second charged operator of the Empire dark web market pleaded guilty, in the backdrop of the new FBI cyber resilience operation.
IPIDEA vs. Residential Proxy Network
According to Google's Threat Intelligence Group (GTIG), the operation reduced the pool of available proxy-enabled devices by millions, limiting the network's ability to facilitate anonymity for cybercriminals. The IPIDEA network grew by embedding specific software development kits (SDKs) into software applications.
Once a user installed these apps on a smartphone or Windows PC, the device was quietly enrolled in the residential proxy network, monetizing users' bandwidth without their explicit consent. These compromised devices became exit nodes for various illicit activities, ranging from high-end espionage to large-scale botnet operations like BadBox 2.0, Kimwolf, and Aisuru.
Many well-known residential proxy brands are not only affiliated with but also controlled by the actors behind IPIDEA, including ostensibly independent proxy and VPN brands:
- 360 Proxy (360proxy\.com)
- 922 Proxy (922proxy\.com)
- ABC Proxy (abcproxy\.com)
- Cherry Proxy (cherryproxy\.com)
- Door VPN (doorvpn\.com)
- Galleon VPN (galleonvpn\.com)
- IP 2 World (ip2world\.com)
- Ipidea (ipidea\.io)
- Luna Proxy (lunaproxy\.com)
- PIA S5 Proxy (piaproxy\.com)
- PY Proxy (pyproxy\.com)
- Tab Proxy (tabproxy\.com)
- Galleon VPN (galleonvpn\.com)
- Radish VPN (radishvpn\.com)
- Aman VPN (defunct)
Over a seven-day period this month, GTIG observed more than 550 threat groups from China, DPRK, Iran, and Russia, using IPIDEA exit nodes to obfuscate their activities, including access to victim SaaS environments and on-premises infrastructure, as well as password spray attacks.
The same actors that control the IPIDEA proxy network also control SDKs:
- Castar SDK (castarsdk\.com)
- Earn SDK (earnsdk\.io)
- Hex SDK (hexsdk\.com)
- Packet SDK (packetsdk\.com)
“Our analysis of various malware samples and the SDKs found a single shared pool of Tier Two servers,” the report said, mentioning the existence of approximately 7,400 Tier Two servers at the time of writing. The analysis also uncovered Trojanized Windows binaries, such as apps masquerading as OneDriveSync and Windows Update, and over 600 Android apps using monetization SDKs that enabled IPIDEA proxy behavior.
This proxy network takedown effort involved collaboration with industry partners, including Spur, Lumen’s Black Lotus Labs, and Cloudflare, to assess the network's scale and disrupt its domain-resolution capabilities.
Teen Swatting Suspects Arrested
Alongside the proxy disruption, authorities this week announced the arrest of four young swatting suspects from Hungary and Romania after police across Hungary received a series of alarming reports triggered emergency responses.
The calls included bomb threats targeting school, religious, and residential buildings, as well as warnings of planned attacks on police units and threats to kill specific people.
Empire Market and Kingdom Market Operators Plead Guilty
Raheim Hamilton, 30, of Suffolk, Virginia, pleaded guilty in Chicago federal court this week, concluding a major early-2020s cybercrime case. Prosecutors linked the Empire Market dark web marketplace he ran with Thomas Pavey, 40, of Florida, from 2018 to 2020, to $430 million in transactions involving drugs, counterfeit currency, and stolen credit card data.
Pavey pleaded guilty in January 2025. Both were charged in 2024 and face up to 10 years in prison.
Also, Alan Bill, 33, a Slovakian national, pleaded guilty to conspiracy to distribute controlled substances for operating Kingdom Market, a darknet marketplace selling drugs, cybercrime tools, fake IDs, and stolen data from March 2021 to December 2023. “The drug trafficking conspiracy charge carries a penalty of at least five years in prison, with a maximum of 40, and the possibility of a fine of up to $5 million,” the DoJ said.
FBI Starts Cyber Resilience Campaign
These developments unfolded as the FBI launched Operation Winter SHIELD. A recently posted FBI advisory, part of the cyber resilience campaign Operation Winter SHIELD (Securing Homeland Infrastructure by Enhancing Layered Defense), recommends that organizations:
- Adopt phishing-resistant authentication
- Implement a risk-based vulnerability management program
- Track and retire end-of-life technology on a defined schedule
- Manage third-party risk
- Protect security logs and preserve them for an appropriate time period
- Maintain offline immutable backups and test restoration
- Identify, inventory, and protect internet-facing systems and services
- Strengthen email authentication and malicious content protections
- Reduce administrator privileges
- Exercise your incident response plan with all stakeholders
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular