Millions of everyday internet-connected devices are quietly being turned into weapons in a global cyberwar, and security experts warn the problem is far larger than anyone realized.
For years, most people assumed cyberattacks came from sophisticated criminal organizations using hidden servers somewhere overseas. Instead, investigators have uncovered a disturbing reality. The attacks are increasingly coming from ordinary homes, apartments, and small businesses. Streaming boxes, digital picture frames, mobile apps, and other inexpensive consumer electronics are being transformed into secret launch platforms for nation-state hackers and cybercriminals.
The discoveries suggest that many of the security protections designed to keep these threats out have failed. Instead of attacking networks directly, foreign intelligence services and organized cybercrime groups have found a way to hide behind millions of unsuspecting consumers.
A Hidden Army Inside American Homes
The investigation began after Microsoft asked Comcast to examine six residential internet addresses that had been linked to an intrusion by Midnight Blizzard, the Russian hacking group associated with Russia’s Foreign Intelligence Service.
Following those internet addresses led investigators to something much larger than anyone expected. Rather than isolated infections, Comcast discovered enormous residential proxy networks built from consumer devices that already contained hidden backdoor software when they were sold or that later became infected through compromised apps and software.
These networks allow attackers anywhere in the world to route their internet traffic through an American home. A hacker operating in Moscow, Beijing, Tehran, or Pyongyang can appear online as though they are sitting inside a suburban house in Washington state.
As Comcast’s Chief Information Security Officer Noopur Davis put it, “This is a bigger problem because of the sheer numbers.” She described it as one of the most worrying cybersecurity issues the company has encountered.
Millions of Devices Already Compromised
Researchers now believe the scale is staggering.
The Digital Citizens Alliance estimates approximately 20 million compromised backdoor installations exist in the United States alone. Separate research by Bitsight observed more than 53 million unique residential proxy exit nodes worldwide during just a 55 day monitoring period.
The researchers concluded that between 14 and 21 percent of residential proxy systems showed active malware infections, while some major proxy providers may actually operate with infection rates approaching 50 percent.
Those figures represent only the infections researchers could directly observe. The actual numbers may be substantially higher because many compromised devices remain dormant until activated.
How the Backdoors Get There
Perhaps the most alarming aspect of the investigation is how many infections occur before consumers even open the box.
Researchers found that malware has been preinstalled on numerous inexpensive Android based products during manufacturing or distribution. Other infections occur when users install compromised smartphone apps, fake VPN software, pirated video games, or illegal streaming applications that secretly install residential proxy software.
Among the products identified in the investigations are:
- Low cost streaming TV boxes
- Digital picture frames
- Digital projectors
- Aftermarket vehicle entertainment systems
- Tablets
- Various Android based consumer electronics
Many of these products are inexpensive, off brand devices rather than equipment supplied directly by major internet service providers. Examples identified in the investigations include brands such as X96, TV98, and GameBox, along with numerous other generic Android devices sold through online marketplaces.
Researchers also found compromised applications offering free VPN services, illegal streaming content, pirated software, and unauthorized copies of commercial video games.
The common theme is simple. If a product promises premium services for free or is dramatically cheaper than established brands, it deserves extra scrutiny.
Residential Proxy Networks Have Become Criminal Infrastructure
Once infected, a device becomes part of what security experts call a residential proxy network.
These services essentially rent out someone else’s home internet connection to paying customers. While there are legitimate commercial uses for residential proxies, investigators say they have become an essential tool for cybercriminals and government sponsored hackers.
Attackers use these networks to:
- Hide the true origin of cyberattacks
- Steal Microsoft 365 credentials
- Conduct account takeovers
- Launch credential stuffing attacks
- Commit banking fraud
- Conduct espionage
- Attack government agencies
- Target military organizations
- Hide reconnaissance operations
- Distribute spam and malware
According to FBI Cyber Division Assistant Director Brett Leatherman, attackers gain a significant advantage simply by appearing to originate from American internet connections.
“If the actors can get U.S.-based IP space, they have a leg up in being able to target government agencies, industry, and others.”
Nation States Are Taking Advantage
Investigators say these networks are no longer primarily criminal tools.
Russian intelligence has already used them during attacks against Microsoft executives.
Government agencies from the United States, United Kingdom, Germany, Japan, and several other countries have also warned that Chinese state sponsored hackers are increasingly using compromised consumer devices to disguise their operations.
Instead of hacking directly from overseas infrastructure that immediately attracts attention, attackers simply borrow internet connections from millions of unsuspecting homeowners.
The result is that malicious activity appears to originate from perfectly ordinary residential neighborhoods.
The Threat Goes Beyond the Infected Device
Perhaps the most troubling discovery is that the infected device itself is often only the beginning.
Comcast investigators found attackers could use an infected streaming box to move deeper into a home network, potentially accessing smartphones, computers, tablets, and other connected devices.
If an employee later connects that compromised phone to a corporate “bring your own device” network, confidential business information may also become exposed.
Davis described the discovery as “such a step change from any threat we’d seen before.”
Why Traditional Cybersecurity Is Failing
Bitsight researchers argue that many existing defensive strategies are becoming ineffective.
Traditional cybersecurity often blocks suspicious internet addresses based on reputation. Residential proxy networks defeat that model by constantly rotating through millions of legitimate residential IP addresses.
Researchers observed that many proxy services cycle through devices so rapidly that an internet address disappears long before security systems identify it as malicious.
The researchers concluded that defenders must stop relying primarily on static IP reputation because residential proxy traffic increasingly represents “a direct extension of botnet infrastructure.”
Spur’s Findings and Consumer Protection
Internet intelligence company Spur has become one of the leading organizations tracking residential proxy networks.
According to Spur, its researchers maintain a database of known residential proxy nodes and have developed a public testing tool that allows consumers to determine whether their home internet connection appears associated with one of these networks.
Spur co-founder Riley Kilmer notes that a clean result will show “Observed Risks: Unknown,” which actually indicates no known residential proxy activity has been detected.
If risks are identified, consumers should investigate suspicious devices and applications connected to their network. Spur also warns that free VPN applications, pirated software, illegal streaming apps, and devices promising premium services at little or no cost deserve particular scrutiny.
How to Protect Yourself
Experts recommend several practical steps:
- Avoid inexpensive, unrecognized electronics from unknown manufacturers.
- Do not install apps that pay users to share internet bandwidth.
- Avoid free VPN services unless they come from reputable companies.
- Stay away from pirated software, unauthorized streaming apps, and illegal game downloads.
- Replace suspicious off brand streaming devices and digital picture frames with products from established manufacturers.
- Periodically test your home network using reputable security tools.
- Keep devices updated with the latest firmware and security patches.
As Kilmer summarizes, “If it sounds too good to be true, it likely is.”
A Growing National Security Problem
The emerging picture is deeply concerning. Millions of ordinary consumers may unknowingly be providing the infrastructure that foreign intelligence agencies and organized cybercriminals use to conduct espionage, fraud, and attacks around the world.
Despite repeated industry takedowns of major proxy networks, researchers say the ecosystem has proven remarkably resilient. When one network is dismantled, another quickly replaces it, often using the same infected devices.
The result is a cyber battlefield that now extends into living rooms across America. The latest findings suggest the problem is no longer simply about protecting individual computers. It is about defending the nation’s digital infrastructure against an adversary that has quietly embedded itself inside millions of homes.
