Attackers are routing malicious traffic through ordinary home broadband, mobile data and small-business devices
Washington, DC – April 2, 2026 – GreyNoise Intelligence, the cybersecurity company providing real-time intelligence about network-based attacks, today released a new report entitled "The Invisible Army: Residential Proxy Abuse in Internet-Scale Attack Traffic,” based on 4 billion malicious sessions observed targeting edge devices over 90 days. The data reveals a disturbing pattern of attackers using compromised home internet connections as a disguise to route malicious traffic.
“Much of the security industry built defenses around the idea that you can determine intent from an IP address,” said Ash Devata, CEO, GreyNoise Intelligence. “This research proves that assumption is now broken at scale. Nearly 4 in 10 IPs hitting our sensors are residential IPs, indicating the scale with which home internet gear has been compromised. Attackers have weaponized the infrastructure we trust most, and every organization that relies on IP reputation as a primary defensive layer is exposed right now.”
In January 2026, Google Threat Intelligence Group disrupted IPIDEA, one of the world’s largest residential proxy networks, with 9 to 11 million daily active proxies used by over 550 distinct threat groups, including state-sponsored actors from China, DPRK, Iran, and Russia. In May 2024, the US Department of Justice dismantled 911 S5, consisting of 19 million IPs across 190 countries. Mandiant’s M-Trends 2025 also documented state threat actors routing operations through residential infrastructure.
For this research, GreyNoise leveraged its Global Observation Grid (GOG), with coverage across 80+ countries to observe unsolicited internet traffic for 90 days, between November 29, 2025-February 27, 2026. The dataset encompasses 4,020,000,000 sessions from 5,720,000 unique source IPs targeting internet-facing infrastructure, excluding known benign scanners and spoofable traffic. GreyNoise’s network observes scanning and probing attempts that also reach internet-facing infrastructure. The company observes techniques and scale; it cannot confirm compromise of production systems.
Key findings from the report include:
- 39% of unique IPs targeting the edge come from home internet connections. That is nearly double their 22% share of sessions — each residential IP averages fewer than three sessions before disappearing, and the median is just one.
- 78% are invisible to reputation feeds. Nearly four out of five residential IPs are observed at most twice across the entire global sensor network before rotating. They vanish before any reputation system can flag them.
- Compromised home PCs follow the human sleep cycle. Traffic from IPs geolocating to India drops 34% at night, when the infected machines are physically powered off. Server traffic varies less than 3%.
- Residential IPs are used for scanning, rather than exploitation. Only 0.1% of residential sessions carry exploitation payloads, versus 1.0% from hosting infrastructure. Residential proxy networks map the terrain; the exploitation payloads come later from datacenter infrastructure, suggesting a division of labor where residential nodes perform reconnaissance and hosting-based operators act on the results.
- Four separate threats (Worm propagation, IoT botnets, commercial proxyfleets, and VPN reconnaissance) hide behind one label.. At minimum, two of these — worm propagation and IoT botnets — show zero IP overlap, confirming they are completely separate populations.
- When one proxy network dies, another takes its place. After IPIDEA lost 40% of its nodes, operators backfilled with datacenter servers within weeks. According to IPinfo research, 46% of proxy IPs span multiple providers simultaneously.
"Residential proxies are nightmare fuel for defenders,” said Andrew Morris, Founder and Chief Architect at GreyNoise. “They flip every IP and geolocation-based defense on its head. AI content scrapers have massively driven up demand for these networks, and the businesses behind them are not thinking about security or abuse — the incentives are misaligned in a perfect storm. Nation-states are tunneling attack and C2 traffic through regular people's phones during active conflict, and this is only going to get worse."
Security teams need to shift their focus from IP reputation and develop a deeper understanding of the behavioral patterns around internet traffic. This report outlines the full scale of this problem and provides actionable recommendations for better defense against residential proxy abuse.
To download the full GreyNoise Intelligence report "The Invisible Army: Residential Proxy Abuse in Internet-Scale Attack Traffic," please visit: https://www.greynoise.io/resources/invisible-army-residential-proxy-abuse-report.
About GreyNoise Intelligence
GreyNoise empowers the security teams of enterprises and global governments to act with speed and confidence by providing fresh, verifiable threat intelligence about systems at the network edge. This allows security teams to reduce noise in security operations, perform in-depth investigations and threat hunts, and focus on the most critical threats to their networks. Our Global Observation Grid enables us to observe and analyze threat actor campaigns at global scale and share this intelligence with customers in real-time. For more information, please visit https://www.greynoise.io/, and follow us on Twitter, Mastodon and LinkedIn.
