A new residential proxy market is becoming popular among hackers, cybercriminals, phishers, scalpers and scammers, selling access to one million claimed proxy IP addresses worldwide.

The new platform was spotted by DomainTools analysts who have watched the emergence of these services, pointing to “BlackProxies” as one of the fastest growing newcomers to the space.

A new entity claiming such a large pool of available proxies is an important development given that law enforcement has shut down several large proxy providers like RESNET and INSORG over the past two years.

What is a residential proxy?

Proxies are online servers that accept and forward requests from other devices on the Internet, making it appear that a connection is coming from their IP address while hiding the real initiator behind them.

Residential proxies use home users’ IP addresses rather than a data center’s address space, making them ideal for running trading bots or for threat actors who want to blend in with traffic website regular.

Sometimes residential users voluntarily become proxies in exchange for money; however, in many cases, they unwittingly become proxies through malware infections on their computers, IoTs, and modems.

Cybercriminals use these home proxies to improve the efficiency of their illegal operations while hiding from law enforcement and blockers.

For example, in August 2022, the The FBI Warned on the growing trend of cybercriminals using home proxies to carry out large-scale credential stuffing attacks without being tracked, reported, or blocked.

Scale and operation of ‘BlackProxies’

The BlackProxies service claims to have access to a pool of 1,000,000 IP addresses from around the world, all from real residential users, guaranteeing unblocked status, low detection rates and good speeds.

Additionally, the service offers an auto-rotation system that automatically refreshes IP addresses, ensuring that every request is made from a new address.

Customers also get an easy-to-use control panel with live usage stats and a REST API for added versatility and even resell potential.

The cost to use the service is $14/day, $39/week or $89 per month, while a trial package costs $4.9.

DomainTools reviewed the platform and found its IP address pool claims to be false, as the service has just over 180,000 available IP addresses.

However, it is still significant, surpassing even platforms that use unreliable methods like botnets to build their IP pools.

DomainTools investigated further and discovered that an IP address used in the service’s infrastructure had previously been linked to other shady services.

While the BlackProxies service prohibits malicious and illegal activities, the service has grown rapidly to become popular among threat actors.

Use of KELA DarkBeast threat intelligence platform, BleepingComputer has found many posts on hacking forums where the BlackProxies service is promoted in topics about credential stuffing and account takeover.

When DomainTools researchers confronted the operator of the BlackProxies service about the alleged criminal activities, the operator showed no interest in discussing the details.

BleepingComputer has contacted operator BlackProxies on the contact method listed, a Telegram channel, to find out exactly how access to these residential IP addresses is achieved, but we have yet to receive a response.

At the time of writing, BlackProxies remains live.