A 500 billion query problem hiding inside the enterprise network
The question that should unsettle every network defender is a simple one: do you know who has access to your IP space? New research from Infoblox Threat Intel, published on 9 June 2026 and built in collaboration with the security research outfit Synthient, suggests that for a clear majority of organisations, the honest answer is no.
Having examined billions of DNS resolutions and the network telemetry surrounding them across its customer base, the company found that more than 65% of Infoblox Threat Defense Cloud customers made queries to domains used to access or orchestrate residential proxy networks during 2026. That figure recasts a phenomenon long treated as a fringe internet curiosity as something closer to a structural feature of the modern enterprise, one that most security teams have not been watching.
The finding extends earlier work. In January the company reported on the Kimwolf botnet inside enterprise networks and was alarmed to find the Kimwolf domain present in roughly a quarter of its customers, traffic driven by residential proxies. The follow-up research widens the lens from a single botnet to the entire category, and the picture it produces is considerably larger than the original alarm suggested. Where Kimwolf touched a quarter of customers, the broader proxy economy touches close to two-thirds, and it does so quietly, through ordinary devices and applications rather than anything a defender would recognise as malware.
The exposure is not theft of data but the quiet loan of an organisation's reputation to whoever is paying for the proxy
The reason this matters to a business, rather than only to a security analyst, sits in how residential proxies actually work. The services route internet traffic through devices belonging to everyday consumers, including home routers, mobile phones, IoT devices and any system running an application embedded with proxyware, so that a connection appears to originate from a real person rather than a data centre. There are legitimate uses for this, from web scraping to reaching geo-restricted content, but the same property is exactly what draws attackers. Residential proxies help malicious traffic evade the IP reputation systems built to protect data centre infrastructure, bypass fraud and verification controls, and disappear into the ordinary noise of consumer activity. Infoblox draws a careful distinction here: tools such as Tor and commercial VPNs produce anonymised traffic, where the destination at least knows the connection is masked, whereas residential proxies produce laundered traffic, where the destination believes it knows precisely who is connecting and is simply wrong.
Inside a corporate environment, that distinction becomes a liability with the organisation's name on it. When a residential proxy operates from inside a company's network, an external party that subsequently sees malicious activity coming from that company's IP space will, correctly, identify the company as the source. Proving afterwards that you were the conduit rather than the perpetrator is the expensive part. Dr Renée Burton, Vice President of Infoblox Threat Intel, put the stakes in blunt terms. “Residential proxies allow an external party to leverage your resources to commit crime and wreak havoc on the internet using your reputation and IP address identity,” she said. The cost of untangling such an episode is measured not only in analyst hours but in legal exposure and reputational damage, and it arrives without warning because the activity was never visible to the organisation in the first place.
The presence keeps growing, and the engine driving it is the same AI scraping boom reshaping the rest of the internet
Far from receding under scrutiny, the traffic is climbing. Between January 2025 and April 2026 the total monthly queries to residential proxy domains rose from nearly 400 billion to more than 500 billion, an increase of roughly 25%. Infoblox attributes much of that growth to AI-related web scraping, the data-gathering that model training depends on, because residential proxies let automated collection blend in as though it were coming from the devices of real consumers and so slip past the anti-scraping measures sites have erected. The demand curve for proxies, in other words, is now tied to one of the most powerful commercial trends of the moment, which is part of why enforcement has done little to slow it. Despite action taken against one service, IPIDEA, in January 2026, and despite heightened awareness of the risks, the company observed no reduction in overall use, only curious traffic anomalies around the time the action landed.
What makes the growth hard to govern is the route by which these services enter a network. They rarely arrive as recognisable threats. The research identifies free VPNs, streaming apps, screensavers, so-called productivity tools such as PDF viewers, and low-cost IoT devices including digital picture frames and media streaming boxes as common carriers, with proxy software bundled in through development kits that let app makers earn a small sum per installation. Devices are frequently enrolled without their owners' knowledge, and in some cases the capability is pre-installed or delivered through updates from unofficial app stores. The named services in the data span the spectrum, from business-oriented scraping providers such as Brightdata, seen in more than half of cloud customers, and Oxylabs, to consumer-facing operations like Hola VPN, Honeygain and the cryptocurrency-rewarded Grass.
The breadth across industries is the detail that should worry boards, not only security teams
If the category were confined to a few permissive sectors it would be a manageable problem, but the research found it everywhere. At least 40% of customers in every industry vertical showed residential proxy traffic. More than 90% of pharmaceutical and food and beverage customers showed it, and more than 60% of government and banking customers did too, the very organisations whose tolerance for this kind of ambiguity tends to be lowest. The same traffic also imposes a hidden tax on the people meant to catch it, because proxy users do not observe acceptable-use policies and their activity often reaches suspicious or malicious domains, generating a disproportionate volume of alerts that lands on already stretched security teams.
For Burton, the answer runs on two tracks, one immediate and one structural. The structural problem is consent. “In most cases, these access points are technically created with user consent through the acceptance of software terms and conditions,” she said. “But details are often buried in legalese, many pages into a document. Policy makers need to look at the dangers residential proxies pose to the internet, requirements for informed consent, and the role proxy service providers should play in preventing abuse.” The immediate problem is visibility, and here her prescription is operational. “Enterprises need a multipronged approach to tackle the threat today, one of which should be protective DNS to control connections to unwanted proxy services,” she said. Not every residential proxy is malicious, and the research is pointed in declining to label individual services as ethical or otherwise. The concern is narrower and harder to dismiss: organisations that do not know whether these services are present, why they are there or what risk they carry are flying blind on a category of exposure that is expanding quickly, and the first time many of them will learn the answer is when someone else's incident response comes knocking.
