Google, in collaboration with industry partners, has disrupted IPIDEA, one of the world’s largest residential proxy networks. The company said it took legal action to shut down domains used to control breached devices and route proxy traffic through them.
Residential proxy networks provide access to IP addresses assigned by internet service providers (ISPs) to real households and small businesses. While some are marketed as legitimate services, the networks are frequently exploited by cybercriminals. By funneling traffic through thousands of consumer devices worldwide, attackers can hide the true source of malicious activity and evade detection.
Google says IPIDEA has become particularly notorious for supporting large-scale botnet operations. Its software development kits were used to infect and recruit devices into botnets, while its proxy infrastructure enabled threat actors to manage and monetize those networks. IPIDEA has been linked to several botnets, including BadBox 2.0, as well as the more recent Aisuru and Kimwolf botnets.
Google’s Threat Intelligence Group (GTIG) also observed IPIDEA being leveraged by espionage, cybercrime, and information operations actors. During a single seven-day period in January 2026, GTIG tracked more than 550 distinct threat groups using IPIDEA-associated IP addresses to conceal their activities. The groups included actors linked to China, North Korea, Iran, and Russia, with operations ranging from accessing victim SaaS environments and on-premises infrastructure to carrying out large-scale password spray attacks.
In a separate development, US authorities have seized the dark web and clearnet domains of RAMP (Russian Anonymous Marketplace), a major cybercrime forum used by ransomware gangs, extortionists, and initial access brokers. DNS records show the domains have been seized. An alleged platform’s administrator, known online as “Stallman,” has confirmed in a post on the XSS cybercrime forum that authorities had taken control of RAMP. Stallman said that he wouldn’t be relaunching RAMP; however, he will continue his primary business of buying network access.