The Threat of Residential Proxies
Residential proxies—legitimate IP addresses hijacked from real users—are increasingly used by attackers to bypass security measures, making malicious traffic appear authentic. This growing threat undermines traditional IP-based defenses, as cybercriminals leverage these proxies for credential stuffing, account takeover, and fraud.
Background
Residential proxies are IP addresses assigned by internet service providers (ISPs) to real homes, making traffic from them appear to come from ordinary consumers rather than data centers or VPN nodes. Attackers obtain such IPs by infecting home routers (often through weak passwords or known vulnerabilities) or by recruiting users through "free VPN" apps that secretly route traffic through their devices. These compromised IPs are then sold via proxy services, giving attackers clean-looking addresses that bypass geo-restrictions, evade fraud detection systems, and avoid bot-blocking tools used by websites, banks, and streaming services. Unlike traditional data-center proxies, which are easy to blacklist, residential IPs are harder to distinguish from legitimate users. This has fueled a rise in credential stuffing, ad fraud, ticket scalping, inventory hoarding, and account takeover attacks — all carried out from what appears to be normal home internet connections.