Infoblox Threat Intel research shows that residential proxies are now widely present across enterprise networks, creating a hidden exposure that many organizations may not be aware of.

The findings were released in Dubai, UAE, on 10 June 2026. They were developed in collaboration with Synthient and build on earlier Infoblox work on the Kimwolf botnet. Previously, Infoblox found that around 25 percent of customers had the Kimwolf domain in their networks, driven by residential proxy activity.

Now, the latest analysis shows a much broader footprint. Infoblox Threat Intel examined billions of DNS resolutions and network telemetry across its customer base. As a result, it found that in 2026, more than 65 percent of Infoblox Threat Defense Cloud customers made queries linked to residential proxy networks.

Residential proxies route traffic through everyday consumer devices such as home routers, mobile phones, IoT devices, and apps with embedded proxyware. This makes traffic appear as if it comes from real users instead of data centers. While some use cases are legitimate, such as web scraping or geo-restricted access, the same infrastructure is frequently used to evade IP reputation systems and bypass security controls.

In addition, Infoblox noted that this creates a significant enterprise blind spot. If malicious activity is seen coming from an organization’s IP space, the organization may be wrongly identified as the source. This can lead to reputational, legal, and operational impact.

The scale of the issue is also increasing. Between January 2025 and April 2026, monthly queries to residential proxy domains rose from nearly 400 billion to more than 500 billion, marking an increase of around 25 percent. Infoblox Threat Intel linked this growth partly to AI-driven web scraping, where residential proxies help automated traffic blend in with normal consumer behavior.

Moreover, the research found that these services are often introduced through everyday tools. These include free VPNs, streaming apps, screensavers, productivity tools, and low-cost IoT devices. In many cases, users are unaware of how these services are operating in the background.

The exposure is also widespread across industries. At least 40 percent of customers in every vertical showed related traffic. This included more than 90 percent of pharmaceutical and food and beverage customers. It also included more than 60 percent of government and banking customers.

At the same time, proxy-related traffic increases alert volumes for security teams. This adds pressure on already stretched security operations teams, making analysis more complex and time-consuming.

“Residential proxies allow an external party to leverage your resources to commit crime and wreak havoc on the internet using your reputation and IP address identity,” said Dr. Renée Burton. She added that in many cases, users unknowingly consent through buried terms and conditions. She also called for stronger awareness, informed consent standards, and greater responsibility from proxy providers, along with protective DNS controls.

While not all residential proxy activity is malicious, the research highlights a growing enterprise risk that is often invisible to defenders. As a result, organizations may be operating without full visibility into a fast-expanding threat surface.

Overall, Infoblox warns that residential proxy exposure is now deeply embedded in enterprise environments, and organizations need stronger controls and visibility. Infoblox stresses that without proactive monitoring, businesses may continue to face reputational and security risks linked to this hidden traffic.

Related post

View all