New Infoblox Threat Intel research shows residential proxies are now common across enterprise networks, creating a hidden exposure that reaches far beyond the security team.
Residential proxies have historically been conceived of as a fringe internet issue, but new research from Infoblox Threat Intel argues otherwise. Developed in collaboration with Synthient and building on Infoblox’s earlier Kimwolf botnet findings, this new reporting shows that residential proxies present a much broader enterprise exposure.
After Infoblox previously found that roughly 25% of customers had the Kimwolf domain in their networks, driven by residential proxies, the teams expanded the work by examining billions of DNS resolutions and associated network telemetry across the customer base.
What they found was far bigger: in 2026, more than 65% of Infoblox Threat Defense Cloud customers made queries to domains associated with residential proxy networks, showing how deeply these services are already embedded in real-world business environments.
What are Residential Proxies?
Residential proxies route internet traffic through everyday consumer devices such as home routers, mobile phones, IoT devices, and apps that use proxyware, making the traffic appear to come from a real user instead of a data center. While they can be used for legitimate purposes like web scraping or accessing geo-restricted content, they are also widely used by attackers to evade security systems, bypass fraud detection, and blend malicious activity with normal user traffic.
In corporate environments, this can create a serious blind spot. If malicious activity is traced back to a company’s IP space, the organization may be wrongly identified as the source, leading to reputational, legal, and operational risks.
The research shows this activity is increasing. Between January 2025 and April 2026, monthly queries to residential proxy domains rose from nearly 400 billion to over 500 billion, an increase of about 25%. According to Infoblox Threat Intel, a key driver is AI-powered web scraping, where residential proxies help automated traffic appear as normal consumer activity.
These services are often distributed through everyday applications and devices rather than traditional malware. The report highlights free VPNs, streaming apps, screensavers, “productivity” tools, and low-cost IoT devices as common entry points, often without users fully realizing how their systems are being used.
Key findings from the research include:
- More than 65% of Infoblox Threat Defense Cloud customers showed residential proxy-related DNS activity in 2026.
- Monthly query volume to residential proxy domains grew by about 25% between January 2025 and April 2026, reaching more than 500 billion per month.
- At least 40% of customers in every industry vertical showed this traffic, including more than 90% of pharmaceutical and food and beverage customers, and more than 60% of government and banking customers.
- Proxy-related traffic can create disproportionate alert volume for defenders, increasing the analytical burden on already stretched security teams.
“Residential proxies allow an external party to leverage your resources to commit crime and wreak havoc on the internet using your reputation and IP address identity.”, said Dr. Renée Burton, Vice President of Infoblox Threat Intel. “In most cases, these access points are technically created with user consent through the acceptance of software terms and conditions. But details are often buried in legalese, many pages into a document. Policy makers need to look at the dangers residential proxies pose to the internet, requirements for informed consent, and the role proxy service providers should play in preventing abuse. Enterprises need a multipronged approach to tackle the threat today, one of which should be protective DNS to control connections to unwanted proxy services”.
While not every residential proxy is malicious, the concern is that organizations unaware of whether these services are present in their environments. Why they are there or what risks they create, are flying blind on a category of exposure that is growing fast.
For more information on the research, read the blog here.
