Cybersecurity researchers have uncovered a Belarus-based software platform which is helping SIM farm operators support cybercrime on an “industrial scale.”

In a new report published yesterday on April 21, Infrawatch said that it had identified 87 instances of ProxySmart control panels in 17 countries and 94 phone farm locations. These farms are located across 19 US states, as well as countries in Europe and South America.

“ProxySmart is publicly associated with a Belarus-based vendor footprint and offers an end-to-end stack for operating and monetizing a physical farm, including device management, automated IP rotation, customer provisioning, plan enforcement, and anti-bot countermeasures,” the report explained.

“Technical analysis indicates operator capabilities consistent with large-scale evasion enablement, including automated IP rotation, remote device control, and network fingerprint spoofing.”

Read more on SIM farms: Government Set to Ban SIM Farms in European First.

SIM farms enable a range of cybercrime activity such as smishing, premium-rate number fraud, bot sign-ups and one-time password interception. They can also be used by nation states, with the Russian authorities using them to spread disinformation in Ukraine.

A large percentage of this ecosystem is managed by ProxySmart, effectively enabling “SIM Farm as a Service,” Infrawatch claimed.

“The platform is marketed as a turnkey solution rather than a tool intended only for highly technical operators,” the report continued.

“Its public-facing materials advertise a web interface, API, remote access, documentation, and support, presenting SIM farm deployment as a productised commercial setup rather than a specialist engineering effort. This likely lowers the technical barrier to establishing and operating mobile proxy infrastructure.”

How It Works

Sold to farm operators via a pricing model dependant on SIM count, ProxySmart provides an end-to-end platform for operating and monetizing mobile proxy infrastructure, including farm management, device control, customer provisioning, retail proxy sales, and payment handling.

It’s accessible via a web-based control panel and is typically self-hosted by the farm operator, with a reverse proxy deployed in front of the panel to disguise its location, the report claimed.

ProxySmart supports physical smartphones and USB 4G/5G modems, with the former enrolled via an unsigned Android APK downloaded from the operator’s site, and the latter managed by the open source ModemManager.

“Both device types are orchestrated by the ProxySmart backend service, which Infrawatch observed to be implemented in Python and heavily obfuscated by PyArmor,” the report continued.

IP rotation for phones is apparently enabled by automatically toggling airplane mode on/off for three seconds, forcing a reconnection to the cellular network (and reassigned egress IP).

There’s support for several tunnelling and proxy protocols including OpenVPN, SOCKS5, VLESS, and HTTP proxies, and there’s an OS spoofing feature that lets farm operators to “simulate other OS TCP fingerprints” such as macOS, iOS, Windows, and Android through the web panel.

“Infrawatch assesses this ecosystem materially lowers the barrier to operating and reselling mobile proxy infrastructure, with limited evidence of meaningful eligibility checks across many downstream providers,” the report concluded.

“The combination of carrier-grade NAT, rapid IP rotation, and multi-carrier availability reduces the effectiveness of IP-centric controls and complicates attribution at scale.”