Infoblox has published research on the spread of residential proxy activity across business networks. More than 65 per cent of its Threat Defence Cloud customers made DNS queries to domains linked to residential proxy networks.
The findings, developed with Synthient, build on earlier work related to the Kimwolf botnet. Infoblox examined billions of DNS resolutions and related network telemetry across its customer base and found broader exposure than in its previous research.
Residential proxies route internet traffic through consumer devices, including home routers, mobile phones, IoT equipment and systems running software with embedded proxyware. This makes online activity appear to come from an ordinary user rather than a datacentre, supporting legitimate uses such as web scraping or access to geographically restricted content.
The same networks can also help attackers avoid IP reputation checks, bypass fraud controls and hide malicious traffic within normal consumer activity. In a business setting, that can leave an organisation associated with hostile activity originating from its IP space, even when it is not the direct source.
Infoblox reported that the volume of this traffic is rising. Monthly queries to residential proxy domains increased from nearly 400 billion in January 2025 to more than 500 billion in April 2026, a rise of about 25 per cent.
Part of that increase was linked to AI-related web scraping. The research said residential proxies help automated traffic resemble requests from real consumers rather than scripts or server farms.
These services often enter organisations through common software and devices rather than obvious malware. The report identified free VPNs, streaming apps, screensavers, productivity apps and lower-cost IoT devices as common ways systems are enrolled into proxy networks, often without users fully understanding the implications.
Industry spread
The activity was not limited to a handful of sectors. At least 40 per cent of customers in every industry vertical Infoblox studied showed residential proxy-related traffic.
Some sectors recorded substantially higher levels. More than 90 per cent of pharmaceutical and food and beverage customers showed such traffic, as did more than 60 per cent of government and banking customers.
That breadth suggests residential proxy infrastructure is no longer a niche issue affecting only a narrow slice of the internet. Instead, it appears across a wide range of mainstream corporate environments, adding to the workload of security teams already dealing with heavy alert volumes and limited resources.
Infoblox said proxy-related traffic can generate a disproportionate number of alerts for defenders. That can make it harder for analysts to distinguish between benign use, policy breaches and traffic linked to criminal activity.
Consent questions
A central concern in the findings is how these access points are created. Many residential proxy arrangements rely on some form of user consent embedded in software terms and conditions, even when the practical effect is poorly understood by the user or business.
"Residential proxies allow an external party to leverage your resources to commit crime and wreak havoc on the internet using your reputation and IP address identity," said Dr Renée Burton, Vice President of Infoblox Threat Intel.
Burton said the issue raises broader policy and governance questions as well as technical ones. "In most cases, these access points are technically created with user consent through the acceptance of software terms and conditions. But details are often buried in legalese, many pages into a document. Policy makers need to look at the dangers residential proxies pose to the internet, requirements for informed consent, and the role proxy service providers should play in preventing abuse. Enterprises need a multipronged approach to tackle the threat today, one of which should be protective DNS to control connections to unwanted proxy services."
The data points to a category of network exposure that can sit outside normal assumptions about cyber risk. Because the traffic may arrive through everyday applications and connected devices, companies may not identify it as suspicious until external complaints, fraud investigations or internal security reviews bring it to light.
For security teams, the challenge is not only to block malicious activity but also to understand why proxy traffic is present in the first place. The use of consumer-facing software inside workplaces, alongside the spread of connected devices, creates a path for this infrastructure to appear in corporate estates without the visibility that normally accompanies more conventional malware infections.
Earlier Infoblox research found roughly a quarter of customers had the Kimwolf domain on their networks. The latest figures indicate the wider residential proxy ecosystem reaches much further, with more than 500 billion monthly DNS queries to associated domains by April 2026.