Millions of residential IP connections in the US are collected annually for use in proxy services, with many households unaware that they may ultimately be used by threat actors, a new report has warned.

Non-profit the Digital Citizens Alliance claimed in a new report, Cybercrime by Doorbell, that an estimated 20 million or more connections end up as proxies, often without the knowledge of their owners.

Although proxy services were originally introduced for legitimate business-oriented data collection, such as ad verification and geo-testing of websites, they’re increasingly used by state actors and cybercriminals alike, the report warned.

“A joint investigation by the Digital Citizens Alliance, and cyber investigation firm risk3sixty, of residential proxies found a web of compromised consumer devices, disguised data centers, foreign infrastructure, and overlapping criminal operations that together represent a serious threat to national and economic security,” it claimed.

The report authors analyzed IP connections across seven proxy providers, and found 80% were linked to residential addresses and 85% had been flagged as likely associated with fraud – indicating they’re used repeatedly for cybercrime.

Read more on proxy networks: Google Disrupts Extensive Residential Proxy Networks

The researchers tracked services like Honeygain, which it said are a popular way for students to earn extra money by sharing unused bandwidth for a fee.

“Investigators observed the connections made on shared bandwidth included connections between the service and entities in China and Russia - including traffic tied to a bank sanctioned by the US Department of the Treasury,” it said.

Nearly half of the 26 million unique residential IPs tracked by the report authors over 30 days appeared across multiple proxy providers. This means that once IP addresses are acquired, they are likely shared across multiple platforms used by nefarious actors.

Around half of the 42 dark web markets reviewed in the report apparently included proxy service listings.

Digital Blood Diamonds

Although some users sign-up knowingly to legitimate proxy services, many do so unwittingly after downloading fake VPN apps, or installing pre-infected devices like BADBOX, the report said.

It described the illicit use of IP connections as the “blood diamonds of the digital age”.

“The jewelers that sold blood diamonds could perhaps claim ignorance, but major players had knowledge. The same is true for residential proxies,” it argued. “The retailers who ultimately sell IP connections to businesses, state actors and cybercriminals may not have sourced the connections, but they are part of an ecosystem built on deception and crimes.”

For home users, the Digital Citizens Alliance had several recommendations to check for and prevent exploitation:

• Use IP security checks tools like Grey Noise or Spur to analyze whether an IP connection is part of a residential proxy network and compromised
• Avoid streaming devices that claim to provide free content, as they may contain malware to hijack IP connections
• Be skeptical of “free” apps which may hijack connections for use in cybercrime
• Replace routers or other household devices older than 5-7 years as these will be unpatched and exposed
• Change the default admin username and password on all devices in the home