Log In Get Started
Stock Markets January 28, 2026

Google Takes Down Domains Tied to Major Residential Proxy Network, Citing Millions of Affected Devices

GTIG-led operation seized command-and-control domains and activated Play Protect measures after linking dozens of apps and thousands of Windows files to IPIDEA

By Leila Farooq
Google Takes Down Domains Tied to Major Residential Proxy Network, Citing Millions of Affected Devices

Google said it has moved to disable domains tied to IPIDEA, one of the world's largest residential proxy operations, and deployed automatic protections for Android devices. The company said legal actions and technical defenses have significantly degraded the proxy network and its business operations, shrinking the pool of consumer devices available to operators by millions. Investigators linked the network to over 600 Android apps and 3,075 unique Windows files and identified at least 13 proxy brands that were taken offline.

Key Points

  • Google's Threat Intelligence Group coordinated legal domain seizures and platform protections through Google Play Protect to disrupt IPIDEA's residential proxy network.
  • IPIDEA operated at least 13 residential proxy brands; Google identified over 600 Android apps and 3,075 unique Windows files tied to the network's command-and-control infrastructure.
  • Google said its actions reduced the pool of devices available to the proxy operators by millions, reflecting a significant operational impact on the network and its business activities.

Google on Wednesday reported actions to disrupt domains linked to IPIDEA, a large residential proxy network, with the stated aim of protecting millions of consumer devices from misuse by cybercriminals and state-sponsored actors. Residential proxy services route internet traffic through compromised consumer IP addresses, enabling malicious traffic to blend with legitimate user activity and evade some security controls.

The effort was led by the Google Threat Intelligence Group (GTIG). According to Google, the operation combined legal measures to seize domains used to control compromised endpoints with automatic protections for Android devices implemented through Google Play Protect. The company said these steps have "caused significant degradation of IPIDEA's proxy network and business operations, reducing the available pool of devices for the proxy operators by millions."

Google reported that IPIDEA ran at least 13 residential proxy brands and that those brands were taken offline as part of the disruption. The investigation identified more than 600 Android applications associated with the network's command-and-control infrastructure and 3,075 unique Windows files tied to the same infrastructure, according to Google's account.

Residential proxy networks operate by routing traffic through consumer devices whose IP addresses have been hijacked. By sending malicious traffic through these devices, operators make it harder for defenders to distinguish harmful activity from legitimate user behavior. The Google disclosure emphasized both the scale of the operation they targeted and the technical steps taken to reduce the network's ability to recruit and control devices.

The company's combined approach of legal domain seizures and platform-level protections for Android users represents a dual legal-technical strategy aimed at interrupting command-and-control channels and preventing further device compromise. Google characterized the outcome as a meaningful reduction in the number of devices available to the proxy operators.

Details provided by Google included the count of connected software artifacts and the number of proxy brands taken offline, but the company did not provide a precise final tally of devices removed from the network. The disclosures highlight the continued use of both mobile applications and Windows-based files in sustaining residential proxy infrastructures.

Sectors mentioned or affected: cybersecurity, consumer devices, mobile operating systems, desktop operating systems, and internet infrastructure.

Risks

  • The company did not provide a precise final count of compromised devices, leaving uncertainty about how many endpoints remain under operator control - this affects cybersecurity and consumer device sectors.
  • The existence of hundreds of Android applications and thousands of Windows files connected to the network indicates a broad software-based infection vector that could continue to pose risks to mobile and desktop ecosystems until fully remediated.
  • Residential proxy operations historically use hijacked consumer IP addresses, so residual or resilient command-and-control channels could persist despite domain seizures, maintaining a degree of risk for internet infrastructure and online services.

More from Stock Markets

Tesla Debuts New All-Wheel Drive Model Y Trim in U.S.; Premium Option Also Launched Feb 2, 2026 Eastroc Beverage Shares Start Trading in Hong Kong at Offer Price After $1.3 Billion IPO Feb 2, 2026 SoftBank unit and Intel to jointly develop 'Z-Angle' memory technology Feb 2, 2026 M EVO GLOBAL ACQUISITION CORP II Raises $300 Million in IPO Aimed at Critical Minerals Deals Feb 2, 2026 NRW Holdings Shares Rise After Securing A$175m Rio Tinto Earthworks Contract Feb 2, 2026