31-07-2025
hCaptcha report finds most residential proxy use fuels cybercrime
The hCaptcha Threat Analysis Group (hTAG) has released a report that details widespread misuse of residential proxy networks, highlighting the extent of malicious activity linked to these services.
The study, entitled "Are All Residential Proxy Services Criminal Organisations?", draws upon several months of research into large-scale traffic across the biggest residential proxy platforms. Findings from the report suggest that between 30% and 95% of all activity passing through these networks is attributable to what the report classifies as blackhat or greyhat operations. This includes a range of abuses such as advertising fraud, manipulation of search engine results, ticket scalping, and mass spam campaigns against major web services.
Malicious activity and detection failings
hTAG's analysis asserts that legitimate activities account for a small minority of residential proxy network usage. Instead, traffic is mainly linked to illicit or abusive acts, with the report noting a particularly high concentration of such behaviour on the largest platforms observed during their research period.
The report further highlights a substantial limitation in conventional security tools, such as Web Application Firewalls (WAFs) and Content Delivery Networks (CDNs). According to the data, more than 90% of malicious requests funneled through residential proxies are not detected by these systems. The researchers suggest that this oversight allows harmful traffic to target online services largely unchallenged.
Industry structure and accountability
Another finding emphasised in the report concerns the apparent opacity of the residential proxy market. Although dozens of brands appear to offer independent services, the report claims that most resell access to just four core pools of IP addresses. This reselling behaviour, paired with layers of indirection, is said to complicate efforts to assign accountability when malicious traffic is traced to a given provider.
The report also describes an 'ecosystem' in which several proxy vendors openly promote their offerings in forums associated with cybercrime. According to hTAG, some companies in this sector maintain an appearance of legitimacy and have even secured venture capital investment. The report notes that proxy providers often source IP addresses via affiliate networks or through opt-in schemes that are not rigorously audited, with some addresses reportedly obtained from devices compromised by malware. "This is a wake-up call. Residential proxy services have long operated in a legal grey area. But our research shows that their traffic overwhelmingly serves cybercriminals, not businesses or consumers. The structure of the industry allows providers to profit from malicious activity while shielding themselves from responsibility," said a senior researcher at hTAG.
Impact on online sectors
The study outlines the wide-ranging effects of proxy network abuse across the digital landscape. The associated harms cited include ad fraud that impacts advertisers, manipulation of search engines affecting businesses' online visibility, and automated ticket purchasing that disadvantages individual consumers. The use of shared and rotating IP infrastructure makes detection and prevention particularly challenging for existing security frameworks.
Recommendations to organisations
hCaptcha recommends that organisations move away from reliance on traditional IP-based blocklists, which the company's research indicates are largely ineffective against the problems posed by modern proxy networks. Instead, they advocate for the adoption of more granular, session-level and intent-based detection methods to address these threats. According to the report, this approach offers improved protection for online services while maintaining user privacy and site performance.
Summing up the findings, the report from hCaptcha presents a detailed perspective on residential proxy networks, their current role in digital fraud, and the limitations of incumbent security strategies when confronting such abuses.
