From Sydney to suburban Perth, there is a reasonable chance that someone reading this article has, at some point, unknowingly lent their home internet connection to an artificial intelligence company harvesting data from the web. Not through hacking. Not through any dramatic breach. Simply by agreeing to a set of terms and conditions attached to a free app they downloaded months ago and have long since forgotten about.
That is the quiet reality sitting beneath a significant cybersecurity action announced on January 29, when Google's Threat Intelligence Group (GTIG) moved to dismantle IPIDEA, a Chinese company it described as one of the world's largest residential proxy networks. The action involved legal domain takedowns, removal of IPIDEA-linked apps from Android devices via Google Play Protect, and coordination with partners including Cloudflare and Lumen's Black Lotus Labs. Google says it reduced IPIDEA's available device pool by millions, though researchers stopped short of calling it a full shutdown.
A residential proxy works differently from a standard VPN. Rather than encrypting your own traffic, it turns your device into an exit node for someone else's entirely, making that traffic appear to originate from a genuine household rather than a corporate data centre. Proxy network operators build these pools by paying app developers to embed proxy software development kits into otherwise ordinary applications, or by offering users the chance to "monetise" their spare bandwidth. As iTnews reports, most users have little idea their device is involved at all.
"If you use such a 'free' service, you basically install proxy software on your device and become part of the proxy network," Maynard Koch, chair of distributed and networked systems at Germany's Technische Universität Dresden, told iTnews. Because users technically agreed to terms of service, providers can then market their proxies as "ethically sourced" — a designation that strains the ordinary meaning of the word.
AI turns up the heat on a long-standing problem
Residential proxy networks are not new, but the explosion of AI model development has injected fresh commercial energy into an already murky industry. As AI companies race to scrape freshly published web content for training data, site operators have responded by blocking known corporate and data centre IP ranges. That, in turn, has pushed some AI firms toward residential proxies, in the belief that household IP addresses escape automated detection. According to iTnews, US-based company Olostep markets a data crawling service explicitly aimed at AI companies, charging between US$9 and US$399 per month depending on volume, while also offering developers an SDK called Mellowtel to monetise users' bandwidth in exactly this fashion.
"Yes, AI definitely seems to be driving demand for residential proxies," Ben Brundage, founder of proxy tracking company Synthient, told iTnews. The growth in demand, however, has not been matched by a corresponding growth in legitimate supply. Brundage attributes the sector's falling costs partly to unethically sourced networks relying on botnets like IPIDEA.
That framing deserves some nuance. Not every company using residential proxies is engaged in something sinister. There is a legitimate commercial ecosystem of proxy providers that emphasise consent and compliance, and the legal status of scraping publicly accessible web data remains contested across jurisdictions. Legitimate operators argue that the problem lies with bad actors exploiting a useful technology, not with the technology itself. The challenge for regulators and consumers alike is that the line between the two is rarely visible from where an ordinary user sits.
Australian connections caught up in global pool
Before Google's action took IPIDEA's website offline, the company advertised nearly 900,000 proxy servers available in Australia and almost 150,000 in New Zealand, according to iTnews. Those figures appear heavily inflated. Independent tracking by Synthient found 50,902 unique IPIDEA IP addresses across Australia and New Zealand in the seven days prior to the disruption, still a substantial number for a relatively small combined market.
The picture becomes more troubling when you examine what those devices were being used for. GTIG found that in a single week in January 2026, more than 550 tracked threat groups used IPIDEA exit nodes to obscure their activities, including groups linked to China, North Korea, Iran and Russia. The network was connected to multiple botnets, including BadBox 2.0, Aisuru and Kimwolf. IPIDEA's own SDK did not merely route external traffic through enrolled devices; it also sent traffic back to them, creating pathways for attackers to reach other devices on the same home network. IPIDEA has denied being the operator or controller of the BadBox 2.0 botnet.
Takedowns offer less protection than they suggest
Perhaps the most sobering finding to emerge from the IPIDEA disruption comes from IP address intelligence firm IPInfo, which provided data to iTnews showing that brand-level enforcement does not actually remove underlying devices from circulation. Analysis of IPIDEA-affiliated providers found a 74 to 88 percent IP address overlap with at least 11 other residential proxy services. Across all residential proxy networks tracked, 46 percent of IP addresses appear simultaneously in multiple provider pools, with individual IPs observed across as many as 101 different provider pools at once.
That resilience was on display almost immediately after Google's January 29 announcement. Two linked providers, 922proxy and PyProxy, saw their active IP counts crater by more than 99 percent and their DNS configurations removed by February 4. Yet their backend servers remained operational: by connecting directly to server IP addresses rather than hostnames, the network resumed data collection within days, suggesting the operators were adapting rather than retreating. Technical analysis by IPInfo points to a common operator managing multiple brands, with five providers named by Google sharing the same network infrastructure on their backends.
"A takedown focused on a specific brand does not clear the IP addresses from the market," IPInfo co-chief executive Ben Dowling told iTnews. "Those same devices continue to be monetised by sister providers."
The bot detection arms race
For AI companies tempted to use residential proxies to evade scraping blocks, there is a practical problem beyond the ethical and legal ones. Cloudflare, which partnered with GTIG on the IPIDEA disruption and operates its own bot detection service, says the residential IP angle matters far less than proxy providers claim. Spokesperson Daniella Valrupalli told iTnews that Cloudflare can examine millions of behavioural characteristics of crawling activity to distinguish human from automated traffic, regardless of whether the source IP is residential or otherwise.
That leaves the question of who actually benefits from this ecosystem in its current form. Consumers carry the risk. Websites carry the cost of defending against scraping. Regulators face an adversary that fragments across dozens of branded fronts the moment one is disrupted. The commercial beneficiaries are the proxy operators themselves and, to a lesser extent, the AI companies and data brokers who buy access to their pools without always asking too many questions about where those pools came from.
Reasonable people can disagree about how tightly governments should regulate the data economy, and there are genuine tensions between open-internet principles and the right of websites to control access to their own content. What seems harder to dispute is that the current arrangement places ordinary consumers at the base of a risk pyramid they were never told they had joined. Greater transparency in app stores, stricter SDK disclosure requirements, and genuine industry-wide scrutiny of bandwidth-sharing schemes would be a sensible starting point — without needing to wait for the next enforcement action to remind everyone the problem exists.