Hijacked Home Devices Are Giving Nation-State Hackers Cover Inside the US
Millions of everyday internet-connected devices are being quietly absorbed into residential proxy networks, allowing cybercriminals and state-backed hackers to disguise malicious activity as ordinary household internet traffic.
The scale of the threat began to emerge after Microsoft investigated a breach attributed to Midnight Blizzard, a Russian intelligence-linked hacking group. The attackers had accessed corporate email accounts belonging to members of Microsoft’s senior leadership and employees working in cybersecurity, legal and other functions.
Microsoft traced part of the suspicious activity to six internet addresses belonging to Comcast customers. When Comcast investigators examined those connections, they found that the addresses were associated with a residential proxy network operated by Chinese provider IPIDEA.
The inquiry eventually led researchers to a far larger collection of roughly 750,000 residential and business internet addresses. The devices behind those connections were effectively allowing outside users to send traffic through homes and small organisations, making distant attackers appear to be ordinary American internet users.
How residential proxies hide attackers
A residential proxy routes someone’s internet activity through a legitimate consumer or small business connection.
To a bank, cloud provider or government system, the activity may appear to originate from a quiet suburban home rather than a hacking operation in another country. This can help attackers avoid security systems designed to flag connections from suspicious regions, data centres or known criminal infrastructure.
Some residential proxy services have legitimate uses, including privacy protection and market research. The danger arises when devices are added without meaningful consent, or when proxy access is sold to criminals and intelligence services.
Because the traffic comes from real consumer addresses, blocking it is difficult. A security system cannot simply reject every residential connection without also locking out legitimate customers. Attackers can also move rapidly between large numbers of addresses, reducing the value of traditional blocklists.
In the Microsoft breach, Midnight Blizzard used a wide pool of residential addresses as part of its effort to conceal the source of its activity. Microsoft has warned that the rapid turnover of these addresses makes conventional detection based on known indicators far less effective.
Malware may arrive before the device reaches the home
Researchers have identified several ways household electronics become part of proxy networks.
Some low-cost streaming devices, digital projectors, picture frames and other Android-based products have been found with malicious software installed before they were sold. In other cases, the backdoor arrives when the owner is instructed to download an app from an unofficial marketplace during setup.
Malicious components can also be hidden inside mobile apps, free virtual private network services, browser extensions and pirated copies of games or other software. Some applications technically disclose that they will share the user’s internet connection, but bury the information in dense terms and conditions that few people read.
Other schemes promise users small payments in exchange for unused bandwidth. Participants may not realise their connection could later be rented to strangers conducting fraud, account takeovers or cyberattacks.
The devices involved are often inexpensive, unfamiliar brands with limited security support. Some receive few, if any, software updates. Others run old versions of Android or rely on manufacturers that disappear shortly after releasing a product.
Routers that have reached the end of their supported lives are another major source of compromised connections. Attackers can exploit known but unpatched vulnerabilities, install malware and sell access to the device as part of a proxy service.
From household gadget to espionage infrastructure
The infected device does not necessarily display obvious symptoms. A streaming box may continue playing films, or a picture frame may continue showing photographs, while quietly relaying someone else’s traffic in the background.
That hidden connection can be used for password attacks, phishing operations, malware communications, data theft, fraudulent purchases and the creation of fake accounts. Criminals can even obtain an address close to a victim’s location before attempting to access a stolen banking account, making the login appear less suspicious.
For nation-state operators, the networks provide valuable digital camouflage. A hacker working overseas can approach an American target through a US household connection, complicating attribution and making the activity resemble normal domestic traffic.
Russia-linked actors have used residential proxies to obscure espionage operations, while international cybersecurity agencies have also warned that China-linked groups increasingly depend on covert networks built from compromised routers and smart devices.
The result is a major shift in the cybersecurity landscape. The infrastructure behind a sophisticated government intrusion may no longer consist entirely of servers deliberately purchased by the attacker. Part of it may be sitting beneath someone’s television, connected to a family router and operating without the owner’s knowledge.
Disrupting one company may not remove the threat
Google took legal and technical action against IPIDEA in January 2026, disrupting the company’s online operations and introducing Google Play Protect warnings designed to identify apps containing its code.
The technology company said the network had been selling access to millions of hijacked consumer devices, allowing customers to route activity through home internet connections and hide its origin.
However, removing a proxy service’s storefront does not necessarily eliminate the compromised devices supplying it.
Comcast researchers describe a layered market in which groups of infected devices are controlled separately from the companies selling access to them. Those device networks can remain active when one reseller is shut down, later moving to another operator or commercial brand.
Some compromised groups contain tens or hundreds of thousands of endpoints. Multiple proxy sellers may offer access to the same underlying collection of devices, creating a resilient market that can survive individual enforcement actions.
This separation between infected equipment and public-facing proxy companies presents a continuing challenge for technology businesses and law enforcement. Taking down a website may interrupt sales, but it does not always remove the malware already operating inside homes.
Consumers may never know their connection was used
People whose devices are drawn into these networks are not necessarily the intended target of the hackers using them. Their internet connection is the valuable asset.
Even so, participation can create serious consequences. A household address may become associated with fraud or intrusion attempts, leading to blocked accounts, additional security checks or scrutiny from an internet provider. A compromised device can also introduce broader risks to other systems sharing the same home network.
The FBI recommends avoiding generic streaming boxes promising free access to premium television, films or sport. It also advises consumers to use trusted application stores, avoid pirated software and suspicious free VPN services, install firmware updates and replace unsupported routers or smart devices.
Devices that require Google Play Protect to be disabled, rely on unknown app stores or arrive without recognised security certification should be treated cautiously. Factory resets may not remove malware that was built into a device’s system software before purchase.
The investigation that began with six internet addresses has exposed an international industry capable of turning ordinary homes into anonymous gateways for hostile activity.
As residential proxy networks grow, the boundary between consumer technology and national cybersecurity infrastructure is becoming increasingly difficult to see. A cheap device in an American living room may look harmless, but in the wrong supply chain, it can become part of an attack launched from the other side of the world.
Your home devices could be used to hide cyberattacks without you ever realising it. The Hack Academy’s online training programme shows you how hackers exploit routers, apps and smart devices, and gives you practical skills to recognise warning signs, reduce your exposure and protect your network.
Do not let your household become someone else’s attack infrastructure. Build stronger cybersecurity habits with The Hack Academy today.
Photo Credit: DepositPhotos.com