The playbook is not new, but the scale is. Chinese state-sponsored hackers, using the commercial proxy infrastructure the Chinese Communist Party permits to operate, have turned tens of millions of American consumer devices into an occupied communications infrastructure — a distributed covert‑operations platform that is, at this moment, running inside your living room. Comcast discovered the architecture by accident in February 2024, when Microsoft flagged six suspicious IP addresses to the company’s security chief. What the investigation found was not a conventional breach. The addresses belonged to a residential proxy network operated by a Chinese provider called IPidea, which had loaded backdoor software onto video‑streaming boxes and digital picture frames at the factory, to be activated the moment an unsuspecting customer plugged the device into their home network. Comcast would eventually trace roughly 750,000 compromised addresses in the United States and estimate the total inventory of backdoored devices in American homes at something like twenty million — a figure the company’s head of information security called one of the most worrying problems the telecom has ever encountered.

That is not a cybersecurity incident. It is an occupied infrastructure, and the only reason anyone knows about it is that a telecom company did the work your federal government will not do and that federal law makes it a felony for anyone else to attempt.

I want to be precise about what the architecture actually is, because the public discussion keeps treating “residential proxy network” as a technical curiosity rather than an infrastructure problem. A residential proxy network is not a collection of infected computers. It is an industrial system in which low‑cost consumer electronics — streaming boxes, picture frames, smart‑home sensors — are shipped into the United States with backdoor software pre-installed at the factory, then enrolled in a cloud‑controlled network that rents each device’s internet connection to the highest bidder, who is often an intelligence service in Moscow or Beijing. The owner never knows. The device functions normally. The backdoor is a purpose‑built feature, not a bug, and because it is written into the factory firmware, no virus scan will ever find it. No factory reset will ever remove it. Microsoft’s remote‑attestation mechanisms will never flag it, because the device is not a Windows endpoint and the backdoor is the firmware. This is the architecture that makes “residential proxy” a category error in the security literature: the network does not merely provide a U.S.‑based IP address to a foreign operator; it provides a U.S.‑based IP address that is physically located inside a U.S. residence, on a device that is physically connected to a U.S. home network, behind a router that has a legitimate Comcast or Charter or Verizon customer relationship. The IP address is not spoofed. The geolocation is real. When someone in Moscow logs into your employer’s Microsoft 365 account from your neighbor’s streaming box, the authentication system sees a domestic login and approves it. The security team sees a domestic login and closes the alert. The victim’s credentials are gone, and the exfiltration is invisible because it is entirely ordinary.

Operationally, this is as elegant as it is devastating. Every identity‑based security control the cybersecurity industry has built in the past decade — geolocation‑based access policies, impossible‑travel detection, IP‑reputation scoring, device‑trust attestation — is bypassed by design, because the traffic originates from a U.S. residential connection that every enforcement mechanism in the stack treats as legitimate. Bruce Schneier named this dynamic years ago: we are not owners of our devices but feudal tenants of them, trusting the sovereign — the manufacturer, or whoever loaded the firmware — to keep our interests in mind. IPidea’s architecture demonstrates that the feudal lord is not even the manufacturer. The device’s loyalty was assigned at the factory, before the box left the Shenzhen floor, to a proxy‑service provider whose business model is renting out your connection to the highest bidder.

The feudal problem has a legal engine, and the engine is Section 1201 of the Digital Millennium Copyright Act. Under that statute, circumventing a technological protection measure on a device’s firmware is a federal crime: five years imprisonment and half a million dollars in fines for a first offense. The Copyright Office has granted narrow triennial exemptions for security research, but the fundamental prohibition remains: it is illegal to examine the code that runs on hardware you own if the manufacturer — or the proxy provider that monopolized the factory image — wrapped that code in a digital lock. As Cory Doctorow has been arguing for more than a decade, the law makes inspecting your own devices a criminal act, and it turns what ought to be the most basic defense of your home network into a felony contempt of business model. Comcast found this only because Microsoft had flagged six specific IP addresses and the company had the institutional resources to investigate. An independent researcher performing the same examination could face felony charges under the same statute. The law makes the necessary inspection a crime, and the volume — twenty million devices — makes individual remediation impossible even if the law were fixed tomorrow.

What the intelligence services are doing with this architecture is no longer hypothetical. Midnight Blizzard, the Russian Foreign Intelligence Service hacking group, has moved past traditional credential phishing into a technique that uses residential proxy networks to log into victims’ Microsoft 365 accounts from U.S.‑based IP addresses while simultaneously conducting what appear to be legitimate Microsoft Teams meetings. The operator does not need to steal your password. The operator needs to log in from a U.S. home network while a bogus Teams call is in progress, and the authentication system treats the login as routine. Volexity, the cybersecurity investigation firm, described the vector with the kind of understatement that is, in this register, the most alarming thing a security researcher can say: “They’re no longer trying to phish your password. It’s hard to detect and it’s hard to stop.” The technique has compromised organizations in government, the military, foreign affairs, and the news media. A Russian state intelligence service is reading American journalists’ email from inside a Comcast customer’s living room, and the only thing standing between that operation and the confidentiality of every source relationship in the country is an infected streaming box and the fact that the journalist has not yet been targeted.

The Chinese state‑sponsored apparatus has moved in the same direction. In April, government agencies from nine countries — including the United States — warned that Chinese hackers were using networks of compromised consumer devices to conduct operations, and that the use of residential proxy networks was making “it challenging to attribute malicious activity.” The joint statement is the diplomatic equivalent of a fire alarm, but it is also, more usefully, an admission that the attribution problem is structural. The Chinese operator logs in from a U.S. IP address, on a device registered to a U.S. residence, behind a U.S. internet account. The forensic trail, when anyone bothers to follow it, terminates at a family who does not know their device is compromised and cannot be expected to fix it. The attribution is impossible because the architecture is designed to make it impossible. The FBI assistant director of the Cyber Division put it plainly: “If the actors can get U.S.‑based IP space, they have a leg up in being able to target government agencies, industry, and others.” That phrase “U.S.‑based IP space” should be translated. It means that if a Chinese or Russian operator can route traffic through an American residential internet connection, that operator can target the United States government’s own systems from inside the U.S. internet, and the government’s own authentication infrastructure will treat the login as domestic and legitimate. The adversary is not hacking from outside; the adversary is hacking from your neighbor’s living room, and the entire cybersecurity apparatus is designed to stop the outside attack and miss the inside one.

The federal response, to this point, has been a court order and a joint statement. Google, using a U.S. court order, dismantled IPidea’s infrastructure in January 2026. The network was back in operation within two weeks. It almost certainly replenished its device inventory from a new provider, because the backdoored devices are, at this stage, a commodity — the Shenzhen manufacturers supply the same firmware‑loaded hardware whether the label on the box says IPidea or something else. The court order is a single‑point disruption against a distributed infrastructure. The joint statement is a diplomatic document, not an enforcement action. As of this writing, no federal agency has proposed or implemented a requirement that consumer electronics shipped into the United States must be free of pre‑installed backdoor software. The Commerce Department has not issued a supply‑chain security rule for consumer internet‑of‑things devices. The FCC has not required that connected devices sold in the country be free of pre‑installed backdoors. The Consumer Product Safety Commission has never treated a backdoored streaming box as a consumer product hazard. The FBI’s own assistant director described the problem on the record to a national newspaper, and the government’s enforcement posture has remained exactly what it was when no one knew the problem existed: nonexistent.

The work of discovery has been left to the telecom company that got a phone call and the newspaper — Robert McMillan’s investigation in The Wall Street Journal — that broke the story. The public consultation is not a regulatory docket. It is a threat‑hunting operation run by a cable provider and a few pages of newsprint. The government has noticed. The government has acknowledged the problem in a joint advisory and an FBI briefing. The government has not opened a proceeding. The government has not imposed a requirement. The government has not changed the law that makes independent examination of these devices a crime. The devices are in your living room. The backdoor is pre‑installed at the factory. The operator who rents your connection is in Moscow or Beijing. The law that would let you even look inside your own hardware remains the same law that protects the backdoor. The work is not being done.