Attackers are moving en masse from data centers to home networks.
Residential proxy network owners use IP addresses assigned by internet service providers to their subscribers and resell access to them. To security systems, this traffic appears as activity from home devices and is less suspicious than requests from data center IP addresses. This technology is used for both legitimate purposes, such as advertising testing, and criminal scenarios, including malware distribution, phishing, spam campaigns, and DDoS attacks.
According to Positive Technologies, pilot implementations of the PT Network Attack Discovery (PT NAD) behavioral network traffic analysis system in 2024–2025 found evidence of residential proxy activity at 46% of the companies studied. Malicious proxies were primarily detected on employees' personal devices. The most frequently detected malware in traffic was Infatica, which turns a computer into a proxy network node.
Foreign companies have also noted the rise of residential proxies in the cybercriminal toolkit. From August to October 2025, the proxy network monitoring service Spur discovered 250 million new IP addresses, indicating a sharp increase in the number of available proxy servers across most major providers. According to the Hcaptcha platform , 30 to 90% of residential proxy requests are hacker attacks. According to an eighteen-month study by Nokia , approximately 100 million devices act as hidden nodes in proxy networks.
Attackers use residential proxies not only for attacks and mass mailings, but also to bypass anti-fraud systems and geoblocks. Proxy agents often infiltrate users' devices along with freeware and then surreptitiously launch a background service that redirects third-party traffic. As a result, the owner of the infected device can participate in spam mailings and other activities without realizing it, increasing the device's load and reducing internet speed. Additionally, the ISP may file claims against the IP address owner for suspicious activity. As Kirill Shipulin, Head of PT NAD Product Expertise at Positive Technologies, notes, companies that own residential proxy networks try to appear legitimate and claim that users voluntarily agree to install their software, but this is often not the case.
Since residential proxies bypass perimeter defenses, monitoring and analyzing traffic within the network becomes a key measure for ensuring cybersecurity. NTA/NDR products detect anomalous activity typical of proxy agents, even if it is disguised as legitimate user actions. Positive Technologies also recommends using antivirus software, systems to prevent mass and sophisticated targeted attacks to protect endpoints, and sandboxes to analyze suspicious files and prevent malware penetration as basic security measures.
Residential proxy network owners use IP addresses assigned by internet service providers to their subscribers and resell access to them. To security systems, this traffic appears as activity from home devices and is less suspicious than requests from data center IP addresses. This technology is used for both legitimate purposes, such as advertising testing, and criminal scenarios, including malware distribution, phishing, spam campaigns, and DDoS attacks.
According to Positive Technologies, pilot implementations of the PT Network Attack Discovery (PT NAD) behavioral network traffic analysis system in 2024–2025 found evidence of residential proxy activity at 46% of the companies studied. Malicious proxies were primarily detected on employees' personal devices. The most frequently detected malware in traffic was Infatica, which turns a computer into a proxy network node.
Foreign companies have also noted the rise of residential proxies in the cybercriminal toolkit. From August to October 2025, the proxy network monitoring service Spur discovered 250 million new IP addresses, indicating a sharp increase in the number of available proxy servers across most major providers. According to the Hcaptcha platform , 30 to 90% of residential proxy requests are hacker attacks. According to an eighteen-month study by Nokia , approximately 100 million devices act as hidden nodes in proxy networks.
Attackers use residential proxies not only for attacks and mass mailings, but also to bypass anti-fraud systems and geoblocks. Proxy agents often infiltrate users' devices along with freeware and then surreptitiously launch a background service that redirects third-party traffic. As a result, the owner of the infected device can participate in spam mailings and other activities without realizing it, increasing the device's load and reducing internet speed. Additionally, the ISP may file claims against the IP address owner for suspicious activity. As Kirill Shipulin, Head of PT NAD Product Expertise at Positive Technologies, notes, companies that own residential proxy networks try to appear legitimate and claim that users voluntarily agree to install their software, but this is often not the case.
Since residential proxies bypass perimeter defenses, monitoring and analyzing traffic within the network becomes a key measure for ensuring cybersecurity. NTA/NDR products detect anomalous activity typical of proxy agents, even if it is disguised as legitimate user actions. Positive Technologies also recommends using antivirus software, systems to prevent mass and sophisticated targeted attacks to protect endpoints, and sandboxes to analyze suspicious files and prevent malware penetration as basic security measures.
