19 May 2026
Qurium publishes today a new investigation showing how residential proxy networks, Android supply-chain malware, and DDoS botnets are no longer separate problems. They are now part of the same abuse economy.
Our research traces how compromised consumer devices, proxy SDKs, grey-market proxy providers, and botnet operators feed one another. KimWolf is not the story. KimWolf is the warning sign: a visible rupture in a much larger ecosystem that has turned infected homes, phones, routers, and Android TV boxes into commercial infrastructure.
We document how residential proxy providers have become one of the most serious security threats facing independent media and civil society online. These networks blur the line between “legitimate” proxy services and criminal traffic, making abuse harder to detect, attribute, and stop.
The investigation connects the evolution from Triada and BADBOX to IPIDEA-linked infrastructure, proxy monetization layers, and newer botnets such as Aisuru, KimWolf and JackSkid. What began as stealthy ad fraud and proxy resale has escalated into open abuse, DDoS attacks, intrusion attempts, and large-scale non-consensual traffic laundering.
With this publication, we are calling for an open debate about residential proxies, device harvesting, proxy SDKs, and the commercial actors that profit from opaque infrastructure. We are publishing this information because the industry’s usual answers are no longer enough. “Know your customer” language and ethical branding cannot hide the central fact: residential proxy markets are profiting from a compromised device ecosystem that is now spinning out of control.”
Read the full investigation: “The Future and Past of Residential Proxies”.
Contacts
Digital forensics: Tord Lundström <t at virtualroad.org> Technical Director
Media: Clara Zid <info at virtualroad.org> Media and Outreach Manager