GreyNoise observed 4 billion sessions targeting the edge over 90 days. The data challenges a core assumption of network defense: that you can tell attackers from legitimate users by where the traffic comes from.

What is a Residential Proxy

A residential proxy is a compromised home internet connection used as a disguise. Attackers route malicious traffic through ordinary home broadband, mobile data, and small-business connections — the same IP address ranges used by employees, customers, and partners. To a reputation feed, the source IP is indistinguishable from a legitimate user's connection — the same ISPs, the same address ranges.

What the Data Shows

39% of unique IPs targeting the edge come from home internet connections — nearly double their 22% share of sessions. Each residential IP averages fewer than 3 sessions before disappearing, and the median is just 1. They are everywhere, briefly.

78% of residential IPs are observed at most twice across the entire Global Observation Grid before rotating. By the time a reputation feed flags a residential IP, the malicious behavior has already rotated to a new address. The rotation rate makes feed-based detection structurally ineffective.

0.1% of residential sessions carry exploitation payloads, versus 1.0% from hosting infrastructure. Residential proxies map the terrain; the exploitation payloads come later from hosting infrastructure.

Traffic from IPs geolocating to India drops 34% between daytime peak and overnight trough. The most likely explanation is that the infected machines are physically powered off. Server traffic varies less than 3%. The device owners are victims — these are home PCs infected with worms, not willingly enrolled proxy nodes.

SMB worm propagation runs 84% residential, with zero overlap between SMB and Telnet source IP populations — confirming completely separate device populations rather than general-purpose scanning infrastructure.

Why This Matters

The residential proxy problem is not theoretical. Google Threat Intelligence Group disrupted IPIDEA in January 2026 — a network with 9 to 11 million daily active proxies used by over 550 distinct threat groups. The DOJ dismantled 911 S5 (19 million IPs across 190 countries) and indicted operators of AnyProxy/5Socks (over 7,000 proxies, $46 million in revenue). Mandiant M-Trends 2025 documented state actors routing operations through residential infrastructure. Every major takedown produces the same result — temporary disruption, then regeneration.

What's Inside the Report

  • The landscape: residential vs. hosting traffic at internet scale
  • The rotation economy: why IP reputation is structurally broken against residential proxies
  • The sleep cycle: circadian patterns in compromised home PCs
  • The supply side: worm propagation and IoT botnets as separate ecosystems
  • Commercial proxy fleets: SDK-enrolled devices as exit nodes
  • VPN reconnaissance: residential IPs probing enterprise perimeters
  • When networks die: ecosystem resilience after takedowns
  • The detection gap: what GreyNoise sees, what it cannot, and what defenders can do

The report presents both the data and its limitations — including a Censys ground-truth validation and an explicit discussion of what GreyNoise can and cannot observe.

READ THE FULL REPORT

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account