If you installed Galleon VPN or Radish VPN, your PC may have been used as a staging device for cybercrime. According to Google, a group of free VPNs and proxy services were part of a larger network used by 550+ hacking groups to obscure their internet traffic.
The IPIDEA proxy network offered customers access to over 60 million IP addresses, letting buyers access the web as local users from various parts of the globe. But Google says IPIDEA didn’t secure the IP addresses legitimately; instead, it sourced them from numerous users who were likely unaware their devices had become a node in IPIDEA’s network.
Google’s investigation found that several free VPN and proxy brands were feeding into IPIDEA, including DoorVPN, Galleon VPN, Radish VPN, and Aman VPN.
(Credit: Internet Archive)
Google also examined three of the VPN clients and found that while they did seem to provide VPN functionality, there was no clear disclosure about turning users’ PCs into proxy nodes.
(Credit: Google)
To secure more IP addresses, the creators of IPIDEA also published software development kits (SDKs) for mobile apps, seemingly offering them as a way to help developers create revenue. The SDKs were embedded inside at least 600 mobile apps. Devices that installed the software then became “exit nodes” for IPIDEA’s proxy network.
“By routing traffic through an array of consumer devices all over the world, attackers can mask their malicious activity by hijacking these IP addresses. This generates significant challenges for network defenders to detect and block malicious activities,” Google said about the threat.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
This also means that hackers who used IPIDEA could access users’ private devices on the same network. In addition, Google found evidence the hackers would try to compromise a user device by exploiting security gaps.
Google told The Wall Street Journal that IPIDEA appears to be a Chinese company. IPIDEA users are also from China, as well as Russia, North Korea, and Iran.
Many are botnet operators. “This includes the BadBox2.0 botnet we took legal action against last year, and the Aisuru and Kimwolf botnets more recently. We also observe IPIDEA being leveraged by a vast array of espionage, crime, and information operations threat actors,” Google says.
Recommended by Our Editors
The good news is that Google has disrupted the IPIDEA proxy network by taking legal action to seize the domains IPIDEA used for its scheme, including the command and control domains and websites that promoted IPIDEA’s products and SDKs. This has “reduce[d] the available pool of devices for the proxy operators by millions,” Google says, including 9 million Android devices, the company tells the Journal.
“We’ve shared our findings with industry partners to enable them to take action as well,” according to Google, which says internet infrastructure provider Cloudflare has also been cracking down.
Despite the takedown, Google says the proxy service market deserves more scrutiny. “Consumers should be extremely wary of applications that offer payment in exchange for ‘unused bandwidth’ or ‘sharing your internet.’ These applications are primary ways for illicit proxy networks to grow, and could open security vulnerabilities on the device’s home network,” the company adds.
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Read Full Bio
&w=1024&resize=1024,1024&ssl=1 "Galaxy Buds 4 vaza e é quase idêntico ao modelo Pro")
&w=1024&resize=1024,1024&ssl=1 "Cupom Decolar | 25% off – Outubro 2025")
