= Ipidea =

Ipidea is a Chinese company known for having operated a large residential proxy. Google researchers discovered that Ipidea controlled millions of residential Internet connections through consumer devices, including PCs and smart phones, for use as proxies by other businesses and consumers.

Ipidea maintained control over these residential connections through its own VPN services, as well as through third-party apps that embed its monetisation tools. Google said its actions severed the control that Ipidea had over millions of customer devices, calling it "one of the largest residential proxy networks in the world" as of early 2026.

In January 2026, Google obtained a court order to remove dozens of Ipidea-owned domains from the internet.

== VPN brands ==
Ipidea offered VPN services to consumers with "no clear disclosure" that these turned devices into proxy nodes.

These brands included:
- DoorVPN, Galleon VPN, Radish VPN, and Aman VPN (discovered by Google researchers),
- 922 Proxy, 360 Proxy, and Luna Proxy (reported by Help Net Security).

== SDK infrastructure ==
Beyond its consumer VPN products, Ipidea provided software development kits (SDKs) that were marketed as monetisation tools for third-party app developers. These SDKs supported apps for the Android, Windows, iOS, and LG WebOS platforms.

Developers who embedded these SDKs into their applications were usually paid by Ipidea on a per-download basis. When end users installed those apps, their device was silently enrolled as an exit nodes for Ipidea's proxy business, typically without the user's knowledge or consent. The SDKs were branded as Castar SDK, Earn SDK, Hex SDK, and Packet SDK.

GTIG identified more than 600 Android applications and 3,075 unique Windows binaries that had communicated with Ipidea's control infrastructure. Some of the Windows binaries masqueraded as trusted system tools, including OneDrive Sync and Windows Update, to evade detection. In some cases, cheap Android TV set-top boxes came with Ipidea's proxy software pre-installed, indicating potential supply chain compromise.

== Technical architecture ==
Ipidea's proxy network used a two-tier command-and-control (C2) architecture. Infected devices first contacted a Tier One server to receive configuration data and a list of Tier Two nodes. They then connected to a Tier Two server, which assigned proxying tasks and relayed traffic. GTIG identified approximately 7,400 Tier Two servers globally, confirming that despite operating across many distinct brands and domains, the network was centrally managed by a single set of operators.

== Botnet links ==
Ipidea's SDKs played a key role in adding devices to several botnets. In July 2025, Google filed a lawsuit against 25 unnamed individuals or entities in China over the BadBox 2.0 botnet, a network of more than 10 million uncertified Android devices, after identifying links to Ipidea's infrastructure. The Aisuru botnet, whose operators initially used the network primarily for distributed denial-of-service (DDoS) attacks, also leveraged Ipidea's proxy pool.

The Kimwolf botnet separately exploited a vulnerability in Ipidea's infrastructure to tunnel back through the proxy network and compromise local-network devices. Security researcher Brundage of Synthient confirmed on 1 December 2025 that Kimwolf operators were using Ipidea exit nodes to reach Internet of Things (IoT) devices sitting behind home firewalls. By 30 December 2025, Synthient was tracking roughly 2 million Ipidea addresses exploited by Kimwolf in the previous week.

The Register noted that Ipidea not only facilitated cybercriminals seeking anonymity but, in several cases, also enrolled the same devices it recruited into these botnets.

== Abuse by threat actors ==
In a single seven-day period in January 2026, GTIG observed more than 550 individual threat groups using Ipidea exit nodes to obfuscate their activities. These groups included state-sponsored operations linked to China, North Korea, Iran, and Russia. Observed activities included password spray attacks, access to victim software-as-a-service environments, and intrusions into on-premises infrastructure.

== Ipidea's response ==
Ipidea denied Google's allegations of malicious intent. In a statement, the company said it had not been contacted by GTIG before the publication of its report, and that any open network can be maliciously abused by third parties. Ipidea said it operates a know-your-customer (KYC) system with name, ID, and facial recognition verification via Alipay and WeChat's biometric databases, and that it blacklists over 3.4 million high-risk domain names in categories including finance, government, military, and education.

The company also denied being the operator, controller, or technology provider of the BadBox 2.0 botnet, and said it acted quickly to close Kimwolf's access to its proxy pool after receiving a vulnerability report from Synthient in late December 2025. Ipidea stated that the vulnerability had been confined to a legacy testing module and did not inherit the network's internal access restrictions.

== Industry reaction and ethical debate ==
The takedown prompted debate about consent standards and ethics across the residential proxy industry. Google's own GTIG blog directly challenged the sector's self-regulatory claims, writing that while many residential proxy providers state they source IP addresses ethically, its investigation found those claims to be often incorrect or overstated, with many of the applications it analysed failing to disclose that they enrolled devices into the Ipidea network.

Proxyway, an independent proxy industry review publication, reported that Ipidea and its related brands had a significant impact on the broader proxy market between 2022 and 2024, with a wave of over 20 Hong Kong-based entrants undercutting competitors on price and popularising unlimited bandwidth plans for a fixed fee.

Proxyway also published an extended list of Ipidea-linked brands than had appeared in Google's own report. Non-exhaustive brands named included 360Proxy, 922Proxy, ABC Proxy, Cherry Proxy, IP2World, IPidea.io, LunaProxy, PIA S5 Proxy, PyProxy, and TabProxy.

Decodo, a Lithuanian proxy provider, published research highlighting that ethical sourcing requires users to receive clear and prominent disclosure before installation, understand exactly how their bandwidth will be used, and provide informed consent. The company contrasted this with Ipidea's practice of embedding proxy SDKs into games, utilities, and VPN services without disclosure. Decodo also highlighted regulatory risk for businesses using unethically sourced proxies, noting that data protection frameworks such as the GDPR and the California Consumer Privacy Act impose requirements not only on direct data practices but also on the practices of third-party service providers, meaning that companies relying on non-consensual proxy networks could face compliance exposure even if their own intent was legitimate.

== Consumer risk ==
When a device is enrolled as a proxy exit node, third-party traffic passes through it, exposing the device owner to potential reputational harm and ISP blacklisting. GTIG also found that Ipidea's proxy applications not only routed traffic outward through enrolled devices but also received inbound traffic directed at those devices, creating pathways for attackers to move laterally into other devices on the same home network.
