New Infoblox Threat Intel research shows residential proxies are now common across enterprise networks, creating a hidden exposure that reaches far beyond the security team.
Residential proxies have historically been conceived of as a fringe internet issue, but new research from Infoblox Threat Intel argues otherwise. Developed in collaboration with Synthient and building on Infoblox’s earlier Kimwolf botnet findings, this new reporting shows that residential proxies present a much broader enterprise exposure. After Infoblox previously found that roughly 25 per cent of customers had the Kimwolf domain in their networks, driven by residential proxies, the teams expanded the work by examining billions of DNS resolutions and associated network telemetry across the customer base. What they found was far bigger: in 2026, more than 65 per cent of Infoblox Threat Defense Cloud customers made queries to domains associated with residential proxy networks, showing how deeply these services are already embedded in real-world business environments.
Residential proxies route internet traffic through everyday consumer devices such as home routers, mobile phones, IoT devices and systems running apps embedded with proxyware, making the connection appear to come from a real person rather than a datacentre. This can serve legitimate purposes, such as web scraping or accessing geo-restricted content, but it is also precisely what makes residential proxies attractive to attackers. They help evade IP reputation systems, bypass fraud and verification controls and allow malicious traffic to blend in with normal consumer activity.
In a corporate setting, that dynamic can turn a technical blind spot into a genuine business problem. If a third party sees malicious activity coming from your IP space, your organisation may be identified as the source first, creating reputational, legal and operational fallout.
The research shows that this issue is only growing. Between January 2025 and April 2026, monthly queries to residential proxy domains rose from nearly 400 billion to more than 500 billion, an increase of roughly 25 per cent. Infoblox Threat Intel says one major driver is AI-related web scraping, where residential proxies help traffic blend in as if it were coming from real consumers rather than automated systems.
Equally significant is how these services typically arrive: through everyday tools and devices rather than obvious malware. The research identifies to free VPNs, streaming apps, screensavers, “productivity” apps and low-cost IoT devices as common ways systems can be enrolled, often without users fully understanding what’s happening.
Key findings from the research include:
More than 65 per cent of Infoblox Threat Defense Cloud customers showed residential proxy-related DNS activity in 2026.
Monthly query volume to residential proxy domains grew by about 25 per cent between January 2025 and April 2026, reaching more than 500 billion per month.
At least 40 per cent of customers in every industry vertical showed this traffic, including more than 90 per cent of pharmaceutical and food and beverage customers, and more than 60 per cent of government and banking customers.
Proxy-related traffic can create disproportionate alert volume for defenders, increasing the analytical burden on already stretched security teams.
“Residential proxies allow an external party to leverage your resources to commit crime and wreak havoc on the internet using your reputation and IP address identity.”, said Dr. Renée Burton, Vice President of Infoblox Threat Intel. “In most cases, these access points are technically created with user consent through the acceptance of software terms and conditions. But details are often buried in legalese, many pages into a document. Policy makers need to look at the dangers residential proxies pose to the internet, requirements for informed consent, and the role proxy service providers should play in preventing abuse. Enterprises need a multipronged approach to tackle the threat today, one of which should be protective DNS to control connections to unwanted proxy services”.
While not every residential proxy is malicious, the concern is that organisations unaware of whether these services are present in their environments, why they are there or what risks they create, are flying blind on a category of exposure that is growing fast.
About Infoblox Threat Intel
Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet’s inner workings allows us to track down threat actors that others can’t see. We’re proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox DNS Detection and Response solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.
About Infoblox
Infoblox is a leading platform for preemptive security and hybrid, multi-cloud networking that delivers enterprise resilience and agility. Trusted by over 5,700 customers, including the majority of Fortune 100 companies as well as emerging innovators, we seamlessly integrate, secure and automate critical network services so businesses can move fast without compromise. Visit Infoblox.com, or follow us on LinkedIn
PR Archives: Latest, By Company, By Date