The Wall Street Journal reported that the discovery began with a February 2024 phone call from Microsoft security executive Igor Tsyganskiy to his counterpart at Comcast, Noopur Davis. Microsoft was investigating a breach linked to Midnight Blizzard and needed information on six IP addresses. Comcast engineers traced those addresses to a massive network of about 750,000 IP addresses located in homes and businesses across the US, operated by the Chinese provider IPidea.
IPidea obtains access to home devices by pre-loading its software onto low-cost products such as video streaming boxes and digital picture frames before they are sold to consumers. The company then rents out access to customers who want to route their internet traffic through those home networks, effectively creating a global proxy service.
“This is a bigger problem because of the sheer numbers,” Davis, Comcast’s head of information security, told the Journal. She described it as one of the most worrying threats the telecommunications company has encountered.
The scale of the problem extends beyond one provider. The Digital Citizens Alliance, a digital advocacy group, estimates that there are 20 million such backdoors in the US alone, according to the Journal.
Government agencies from nine countries — including the US, UK, Germany, and Japan — issued a joint warning in April stating that Chinese state-sponsored hackers are using networks of hacked consumer devices to conduct their operations. The statement noted that this practice is “making it challenging to attribute malicious activity,” according to the Journal.
Brett Leatherman, assistant director of the FBI’s Cyber Division, said that if adversaries can obtain US-based IP addresses through these networks, “they have a leg up in being able to target government agencies, industry, and others.” He added that Chinese state-sponsored hackers used to compromise consumer devices directly, but have shifted to using residential proxy networks instead.
Comcast’s investigation deepened through 2024. By September, engineers discovered that users of these proxy networks could gain access to networks even behind firewalls and then jump from one device to another, according to Davis. An infected video-streaming device could be used to hack into a mobile phone, and if that phone connected to a corporate network, sensitive information could be exposed.
“It was such a step change from any threat we’d seen before,” Davis said.
In January 2025, Google obtained a US court order and dismantled IPidea’s infrastructure, but the network was back in operation within two weeks, likely by picking up devices from a new provider, Comcast said.
Midnight Blizzard, the Russian hacking group that broke into Microsoft in 2023, has been a heavy user of residential proxy networks. Over the past year, the group has used them to carry out a new type of identity-based attack that is extremely difficult to detect, according to Volexity, a cybersecurity investigation firm.
The hackers stole Microsoft 365 credentials from victims through bogus Microsoft Teams meetings, according to Volexity. Microsoft’s servers would flag login attempts from overseas, so the hackers used residential proxy networks to log in from US home networks instead.
“They’re no longer trying to phish your password,” said Steven Adair, Volexity’s president. “It’s hard to detect and it’s hard to stop.”
Volexity said it has observed this technique compromise organizations in government, military, foreign affairs, and news media.
Adam Meyers, a senior vice president at CrowdStrike, said modern hackers increasingly rely on these networks to steal login credentials for cloud services. “Identity is their bread and butter, and one of the infrastructure pieces that they’re dependent on is residential proxies,” he told the Journal.