GOOGLE has disrupted IPIDEA, a large residential proxy network that enrolled users’ devices via SDKs embedded in mobile and desktop apps, in a coordinated crackdown involving legal domain takedowns, intelligence sharing on malicious SDKs, and ecosystem-wide enforcement. According to announcement, Google Play Protect now removes and blocks apps with IPIDEA SDKs, and the actions degraded the network significantly, reducing the available pool of devices for proxy operators by millions.
The move was carried out with partners such as Cloudflare, Spur, and Black Lotus Labs to disrupt operations and share intelligence, and it comes as IPIDEA and related independent proxy brands are linked to threat activity used by hundreds of groups — in one week of January 2026, over 550 tracked threat groups used IPIDEA exit nodes.
IPIDEA’s proxy infrastructure is described as a little-known component of the digital ecosystem used by a wide array of bad actors, including cybercrime, espionage, and botnets such as BadBox2.0, Aisuru, and Kimwolf. The report notes that many SDKs (EarnSDK, PacketSDK, CastarSDK, HexSDK) share code and a two-tier C2 infrastructure, all drawing from a global pool of about 7,400 Tier Two servers.