Cybercriminals in Disguise: How Proxies Hide Malicious Traffic Right Under Our Noses

Cybercriminals have long been adept at cloaking their activity, but now they’re employing a method so subtle it’s almost indistinguishable from your everyday internet browsing. Increasingly, these attackers are turning to residential proxy services—ordinary-looking digital pathways that blend malicious web traffic seamlessly into the stream of legitimate online activity.

A Shifting Landscape

For years, shady “bulletproof” hosting companies have been cybercriminals’ preferred tool. These services provided infrastructure explicitly designed to evade law enforcement, often by refusing to ask questions about their clients’ activities or maintaining strict anonymity. However, as global authorities have intensified their crackdown, cracking open bulletproof hosts, tracing transactions, and arresting their operators, cybercriminals have begun to migrate to a different strategy entirely.

At the recent Sleuthcon cybersecurity conference in Arlington, Virginia, researcher Thibault Seret from Team Cymru outlined a disturbing trend. Criminal actors and their hosting providers are moving away from dedicated hosting services and adopting proxy networks—particularly residential proxies—as their new camouflage of choice.

Residential Proxies: The Perfect Disguise

Residential proxies leverage everyday devices—think old Android smartphones or low-end laptops—distributed across countless homes and offices worldwide. Each device provides a unique, rotating IP address, indistinguishable from legitimate user traffic, making detection extremely challenging.

“The magic of proxy services is precisely that they make it impossible to distinguish malicious traffic from genuine activity,” Seret explained. “It’s great for internet freedom, but from a cybersecurity standpoint, it creates a nightmare scenario.”

This stealthy approach works because malicious web requests appear to originate from typical, trusted consumer IP addresses, masking criminal activity behind layers of seemingly innocuous traffic. This method makes it substantially more difficult for security systems—built to detect suspicious patterns—to discern threats from normal user behavior.

A Complex Challenge for Law Enforcement

As cybercriminals increasingly blend their traffic into residential proxies, it becomes exponentially harder for law enforcement agencies to dismantle malicious infrastructures. These proxy networks often have minimal logging capabilities and decentralized architectures, further complicating investigations.

Ronnie Tokazowski, co-founder of Intelligence for Good, underscored how problematic residential proxies are for cybersecurity efforts: “Attackers have significantly increased their use of residential networks in recent years. When cyberattacks seem to originate from the same residential IP ranges used by legitimate employees or everyday internet users, distinguishing between friend and foe becomes exceptionally challenging.”

From Avalanche to Now: A Growing Threat

Proxy use among cybercriminals isn’t entirely new—infamous operations like the 2016 “Avalanche” malware platform exploited a method called “fast-flux,” rapidly switching proxy IP addresses to evade detection. What’s different today, however, is the widespread commercial availability of residential proxy networks. Attackers no longer need to build their own elaborate proxy setups—they simply rent from grey-market providers, who themselves blend legitimate traffic with malicious activity, complicating any potential crackdown.

An Uncertain Future

Addressing this emerging issue is daunting. While law enforcement has previously targeted bulletproof hosting providers, residential proxies represent a far more intricate challenge because they are used widely by legitimate users and businesses alike.

“I don’t yet see a clear path to solving this problem,” Seret admitted. “Law enforcement could perhaps pursue the most malicious proxy providers aggressively, similar to what was done with bulletproof hosts. But proxies are now essential internet infrastructure, so even dismantling one malicious operation doesn’t solve the underlying issue.”

In the end, the rise of residential proxies presents cybersecurity professionals, organizations, and law enforcement with a troubling new reality: malicious activity could be hiding right under our noses, disguised as ordinary digital life. The solution to this challenge remains elusive, underscoring the constant arms race between attackers and defenders in the ever-evolving cyber landscape.

Photo Credit: DepositPhotos.com