The Hidden Threat: How Residential Proxies Enable Cybercrime Across Australia and New Zealand

Residential Proxies: The Growing Cybercrime Threat 

When we think about cybersecurity threats, we often picture sophisticated malware or state-sponsored hackers. But one of the most effective tools cybercriminals use to hide their activities is hiding in plain sight within Australian and New Zealand homes: residential proxies.

Recent reports from the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) and New Zealand's National Cyber Security Centre (NCSC) reveal a troubling reality. Thousands of devices across the trans-Tasman region have been compromised and enrolled in proxy networks without their owners' knowledge, creating a vast infrastructure that enables cybercrime while appearing completely legitimate.

What Are Residential Proxies?

A residential proxy is an intermediary server that uses real IP addresses assigned by Internet Service Providers (ISPs) to actual residential devices such as cheap media streaming devices, home routers, computers, tablets and smartphones. Unlike datacenter proxies, which use IP addresses from server farms and are relatively easy to detect and block, residential proxies route internet traffic through genuine consumer devices.

This makes malicious activity nearly indistinguishable from legitimate user behaviour. When a cybercriminal uses a residential proxy, websites and security systems see traffic coming from what appears to be a real person's home internet connection, complete with proper geolocation and ISP assignment.

The Scale of the Problem in Australia and New Zealand

The threat is not theoretical. According to the ACSC's Annual Cyber Threat Report 2024-25, malicious cyber actors are actively compromising edge devices (home routers, firewalls and IoT devices) to use as proxies. In FY2024-25, the ACSC observed more than 120 incidents associated with attacks on edge devices, with a staggering 96% success rate.

In September 2024, the ACSC and NCSC jointly published an advisory highlighting a botnet created by PRC-linked cyber actors that compromised over 260,000 internet-connected devices globally. This network included devices across Australia and New Zealand. These compromised devices were used as proxies to:

• Conceal attacker identities during malicious operations
• Deploy distributed denial-of-service (DDoS) attacks
• Further compromise additional networks
• Target critical infrastructure providers

The IPIDEA Network: A Wake-Up Call

In January 2026, Google's Threat Intelligence Group disrupted what they identified as the world's largest residential proxy network, operated by IPIDEA. The scale of this operation is staggering. In just a single seven-day period in January 2026, researchers observed over 550 individual threat groups utilising this network to obfuscate their activities. These included state-sponsored groups from China, DPRK, Iran and Russia.

The research revealed that IPIDEA controlled multiple ostensibly independent proxy and VPN brands, creating a vast ecosystem designed to enrol consumer devices without explicit user consent. Devices were enrolled through:

• Software Development Kits (SDKs) embedded in legitimate applications
• Pre-installed proxy software on devices
• Trojanised applications downloaded by unsuspecting users

Why Residential Proxies Are So Effective

Traditional security measures struggle against residential proxy networks for several reasons:

1. Legitimate Appearance

Traffic from residential proxies appears identical to genuine user traffic. The IP addresses are properly registered to real ISPs and tied to actual physical locations. This makes IP-based blocking and reputation systems significantly less effective.

2. Geographic Precision

Attackers can select IP addresses from specific countries, cities, or even neighbourhoods. This enables highly targeted attacks that bypass geographic restrictions and appear to originate from trusted locations.

3. Vast IP Pools

Large residential proxy networks provide access to millions of IP addresses. Even if one IP is blocked, attackers can immediately switch to another, making sustained blocking efforts nearly impossible.

4. Bypass of Anti-Fraud Systems

According to research by Trend Micro, residential proxy providers have become full-fledged enablers of cybercrime specifically because they allow criminals to circumvent anti-fraud and IT security systems that rely on IP reputation, geolocation or rate limiting.

The Cybercrime Ecosystem Connection

Residential proxies have become a critical component of the broader Cybercrime-as-a-Service ecosystem. The ACSC's Annual Cyber Threat Report 2024-25 identifies bulletproof hosting (which includes residential proxy services) as one of the key enabling services that allow cybercriminals to operate at scale.

These services are advertised on underground forums as secure and resilient cyber infrastructure. Critically, bulletproof hosting providers knowingly participate in the cybercrime ecosystem, refusing to abide by law enforcement takedown requests and ignoring abuse complaints from victims.

The NCSC's Cyber Threat Report 2025 notes that hacktivist groups and state-sponsored actors increasingly use residential proxy networks to obfuscate their activities. The line between state-sponsored operations and hacktivist activities has blurred, with states using proxies, supporting 'true believer' actors, or simply turning a blind eye to malicious activity emanating from within their borders.

Implications for Australian and New Zealand Organisations

For Insicon Cyber's clients and organisations across the trans-Tasman region, the rise of residential proxies creates several critical security challenges:

Reduced Effectiveness of Traditional Defences

IP-based blocklists and reputation systems become significantly less effective when attackers can route traffic through legitimate residential IP addresses. Organisations can no longer rely solely on these traditional controls.

Increased Attack Surface

The growth of remote work since COVID-19 has expanded the number of vulnerable edge devices. More home routers and personal devices connected to corporate networks create more potential entry points for compromise.

Detection Challenges

Malicious activity routed through residential proxies is significantly harder to detect. Standard security monitoring that flags unusual IP addresses or geographic anomalies will miss attacks originating from legitimate-looking residential connections.

Compliance Implications

For organisations subject to the Australian SOCI Act, Privacy Act, Essential Eight requirements, or New Zealand's Privacy Act 2020 and NZISM, the use of residential proxies by attackers complicates compliance efforts around access control, logging and incident detection.

Adaptive Security: What Trans-Tasman Organisations Should Do

The ACSC and NCSC guidance is clear: organisations need to move beyond IP-based defences to connection-based and session-based access controls. Here's what Insicon Cyber recommends:

1. Implement Behavioural Analytics

Move from IP reputation to behavioural analysis. Monitor for anomalous patterns such as unusual access times, rapid sequential logins, abnormal data transfer volumes or unexpected geographic movements within short time frames.

2. Strengthen Session Management

Implement robust session-based controls including multi-factor authentication, device fingerprinting and continuous authentication throughout the session rather than just at login.

3. Secure Edge Devices

The ACSC emphasises the critical importance of securing edge devices. Organisations should:

• Regularly update and patch all edge devices (routers, firewalls, VPN endpoints)
• Change default credentials immediately
• Disable unnecessary services and ports
• Implement network segmentation to limit the impact of compromised devices

4. Deploy Adaptive Security Operations

Insicon Cyber's adaptive Security Operations Centre (aSOC) approach provides continuous monitoring that goes beyond traditional signature-based detection. Our intelligence-driven platform identifies threats based on behaviour and context, not just IP reputation.

5. Enhance Logging and Monitoring

Comprehensive logging of connection metadata (not just IP addresses) enables better detection of residential proxy usage. Log session duration, data transfer patterns, user agent strings and behavioural characteristics.

6. Educate Your Workforce

Remote workers need to understand the risks of compromised home networks. Provide guidance on:

• Securing home routers and IoT devices
• Avoiding suspicious applications and software downloads
• Recognising signs of device compromise

Three Critical Questions for Your Organisation

The NCSC's Cyber Threat Report 2025 poses three essential questions that every Australian and New Zealand organisation should ask:

1. Do we have the relationships, systems and processes to provide early warning and coordinated response?

When residential proxies are used against your organisation, will you detect it in time? Do you have the monitoring capabilities and incident response procedures in place?

2. Are we confident in our ability to detect sophisticated actors using living-off-the-land techniques?

Attackers using residential proxies often employ subtle techniques that blend with normal traffic. Can your security operations team identify these threats?

3. Have we tested our ability to respond to sophisticated intrusions designed not just to steal, but to remain undetected?

Regular testing and validation of detection capabilities is essential. Tabletop exercises and red team assessments should include scenarios involving residential proxy networks.

Moving Forward: Adaptive Protection for an Evolving Threat Landscape

Residential proxies represent a fundamental shift in how cybercriminals and state-sponsored actors operate. The effectiveness of traditional IP-based defences continues to diminish as these networks grow. For organisations across Australia and New Zealand, this isn't a theoretical future threat. It's happening now, evidenced by the ACSC's report of 120+ edge device compromises in a single year and the massive botnet affecting hundreds of thousands of devices globally.

The path forward requires adaptive, intelligence-driven security that focuses on behaviour rather than just origin. It requires comprehensive partnership between strategic advisory and operational delivery. And it requires trans-Tasman organisations to move beyond compliance checkboxes to genuine cyber resilience.

At Insicon Cyber, we've built our services around this reality. From boardroom strategy to 24/7 adaptive security operations, we provide the comprehensive cybersecurity partnership that Australian and New Zealand businesses need to stay protected against evolving threats like residential proxy networks.

Ready to Strengthen Your Defences?

Contact Insicon Cyber to discuss how our adaptive security operations can help your organisation detect and respond to threats routed through residential proxy networks. Our trans-Tasman team brings global threat intelligence and regional regulatory expertise to protect what matters most.

Sources and Further Reading

Australian Cyber Security Centre:

• ACSC Annual Cyber Threat Report 2024-25: https://cyber.gov.au
• PRC-Linked Actors Compromise Routers and IoT Devices for Botnet Operations: Available at cyber.gov.au

New Zealand National Cyber Security Centre:

• NCSC Cyber Threat Report 2025: https://www.ncsc.govt.nz
• PRC MSS Tradecraft in Action: https://www.ncsc.govt.nz/alerts/prc-mss-tradecraft-in-action/

Industry Research:

• Google Cloud Blog: Disrupting the World's Largest Residential Proxy Network: https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network
• Trend Micro: The Rise of Residential Proxies: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-rise-of-residential-proxies-and-its-impact-on-cyber-risk-exposure-management
• Oxylabs: What is a Residential Proxy: https://oxylabs.io/blog/what-is-residential-proxy
• Octo Browser: Residential Proxies and How They Work: https://blog.octobrowser.net/residential-proxies-and-how-they-work

About Insicon Cyber

Insicon Cyber is the ANZ region's trusted cybersecurity partner, uniquely positioned to bridge the gap between boardroom strategy and operational excellence. We deliver comprehensive cybersecurity solutions from executive advisory to managed security services, enabling Australian and New Zealand businesses to stay compliant, resilient and future-ready in an evolving threat landscape.