I’d like to start this article with a few questions:

  1. What do a leaky bucket and an old router have in common?
  2. Could your grandmother be helping cybercriminals?
  3. Why are there 5 devices in your apartment but 6 connected devices?

You’ll be able to answer these questions after reading this article.

Let’s start by looking at what kind of business these proxy services actually are.

Proxy services serve various purposes, mainly for data scraping, SEO manipulation, and bypassing various types of blocks. But they also have a dark side. They can be used for illegal activities and serve as a way to bypass detection of an attacker’s real IP address.
Every year, authorities in various countries crack down on these services (such as SocksEscort), but after one is shut down, dozens of new ones pop up. But why?
Because it is a highly profitable scheme in which people participate both voluntarily and without realizing it.

What is the structure of proxy services?

How proxy service actually works inside
How proxy service actually works inside

This is a simplified visualization of how a typical proxy service works. But even here, it’s clear that they use all sorts of methods to obtain more and more fresh IP addresses.

Option 1: Vulnerable routers and IoT devices.

Option 1: Vulnerable routers and IoT devices.
Option 1: Vulnerable routers and IoT devices.

A publicly accessible IP address allows attackers to test:

  1. Vulnerabilities in outdated software, such as RCE, authorization bypass, etc. A recent example at the time of writing is an emergency patch from TP-Link
  2. Threats from default (hardcoded) passwords, as seen in the D-Link example
  3. Brute-force attacks on passwords (SSH/Telnet/web login)
  4. Use of debug interfaces
  5. CDN hijacking and delivery of malicious firmware
  6. Exploitation of an old Linux kernel

Your refrigerator, washing machine, or even a CO2 sensor could become part of this botnet. Anything that has an internet connection and can be accessed from the outside, either directly or via DDNS.

Option 2. Viruses on mobile devices or PCs.

Viruses on mobile phones or PCs that allow attackers to exploit the victim’s mobile or internet traffic are the most common. There’s no need for illustrations here.

Option 3. Free VPNs.

How "free VPN" works
How "free VPN" works

This is probably the most underrated category, and it’s what makes these services legally viable.

But how is that possible? When you accept the terms of service, anything could be in there, even selling your soul /s. Here, at least you aren’t selling your soul, but you are selling your traffic. Clever legal loopholes mean that your payment for using the VPN server’s traffic turns into permission for your traffic to be used.

But you might say, isn’t it easy to track down and shut down such a business? No. They’ll block the “malicious” user and keep operating. And this approach is the most effective of all, because the user gave their consent. No one reads the several pages of privacy policies and terms of use for a program or service. The option to pay with Bitcoin on a proxy service isn’t always there for convenience.

Option 4. “Real Business Model”.

Опишите изображение

In this scenario, the attackers already have funding, which they use not only to purchase servers for their service but also to buy devices—single-board computers.
A device costing $9–$20 that connects to the network pays for itself in less than a month of operation. Any open network or a network with a known password—for example, in a restaurant or store—can become a target.

Attackers leave USB-powered devices near active internet networks. They often choose locations where several networks are known in advance and they can switch between them. Variations depend on the ingenuity of the attacker

Option 5. Other Methods

These methods are similar to roaming-based schemes, but they are becoming increasingly rare due to the risk of being quickly blocked—thanks to the prompt response of service providers and the work of security researchers.

How can you avoid becoming a victim or an accomplice of this criminal network?

  1. Do not use outdated routers. Often, to save money, you might buy a router that is no longer supported by the manufacturer and may be vulnerable. If the router is provided by your internet service provider, check with them to confirm the router’s end-of-life (EoL) date.
  2. Do not use unknown routers from unverified sellers. They may already be infected with a virus or could be used for these purposes later.
  3. Don’t trust the phrase “free VPN.” Everything comes at a cost, with the exception of large companies whose finances do not depend on VPNs.
  4. Do not install questionable apps from ads or “Install-to-Earn” schemes.
  5. Check the number of hosts on your network. Often, the threat is right next door.


But as time goes on, these services will fade into obscurity, since analyzing network connections already makes it possible to identify patterns in proxy usage.
That’s why criminals are now trying to squeeze as much as they can out of it by luring gullible users into apps that promise “your phone earns money while on standby,” “get paid for your data usage,” “stay in touch with loved ones for free, bypass blocks,” and other dubious promotional offers.

Stay vigilant.