Cybercriminals Conceal Malicious Web Traffic in Plain Sight

For years, gray-market services known as “bulletproof” hosts have been a key tool for cybercriminals seeking to maintain web infrastructure under the radar. However, as global law enforcement intensifies efforts to crack down on digital threats, they have developed ways to extract customer information from these hosts, increasingly targeting the service providers with legal actions. At the cybercrime-focused conference Sleuthcon in Arlington, Virginia, researcher Thibault Seret highlighted how this shift is driving both bulletproof hosting companies and their criminal clients to adapt.

Instead of solely relying on web hosts prone to law enforcement crackdowns, some service providers now offer purpose-built VPNs and proxy services to rotate and mask customer IP addresses. These services often don't log traffic or mix it from various sources. Although the technology behind VPNs and proxies isn't new, the adoption of such methods by cybercriminals represents a significant shift.

"The issue is you cannot technically distinguish which traffic in a node is bad and which is good," said Seret, a researcher at the threat intelligence firm Team Cymru. "That's the magic of a proxy service—you can't tell who’s who." While such anonymity services are beneficial for internet freedom, they also complicate efforts to identify and counteract malicious activity.

The core challenge in addressing cybercriminal activity cloaked by proxies lies in their legitimate use. Criminals have particularly leaned on "residential proxies," decentralized nodes operating on consumer devices like old Android phones. These provide real, rotating IP addresses from homes and offices, masking malicious traffic as benign consumer activity.

By making malicious traffic appear as if it originates from trusted IP addresses, attackers can evade detection by organizational scanners and threat detection tools. Residential proxies provide anonymity and privacy, but they also reduce a service provider's control, complicating law enforcement's efforts.

"Attackers have been ramping up their use of residential networks for attacks over the last two to three years," notes Ronnie Tokazowski, cofounder of the nonprofit Intelligence for Good. "If attackers exploit the same residential networks as target organizations, tracking them becomes more difficult."

While proxy use in cybercrime isn't new—such as the "fast-flux" hosting methods used by criminal platforms—the rise of proxies as a mainstream service signals an important change. "I don't yet know how we can address the proxy issue," Seret told WIRED. "Law enforcement could target malicious proxy providers like they did with bulletproof hosts, but proxies are used by everyone, making the task complex."