The hidden market turning home internet connections into cover for hackers

Swaths of consumer streaming devices and passive-income services are quietly turning Americans’ home internet connections into cover for cybercrime, fraud and foreign-linked hackers, according to a new investigation that found suspicious behavior from devices and apps sold through major online marketplaces.

The report from the Digital Citizens Alliance and cyber compliance firm risk3sixty focuses on residential proxy networks, which let users route their web traffic through real household internet connections.

That disguise is what makes the market valuable for cyberspies: Many threat detection tools treat home internet connections as more trustworthy than traffic from known malicious networks. When cybercriminals or state-backed hackers piggyback on those home platforms, they gain a powerful way to hide their activity, and the digital breadcrumbs trace back to an unsuspecting household.

In a hypothetical attack on a federal agency, a hacker could route their activity through ordinary home internet connections instead of foreign servers. That could make suspicious login attempts or other traffic appear to come from real U.S. homes, causing investigators to initially trace them back to unsuspecting users whose connections were used as cover.

That arrangement poses unsuspecting risks for ordinary people, DCA Executive Director Tom Galvin told Nextgov/FCW. “Because someone has gained access to your IP connection … if you’re a criminal engaging in financial fraud or distribution of [child sexual abuse material] over a residential IP connection, and you get caught, law enforcement isn’t going to the criminal, they’re going to the home.”

“You basically run the risk of having everything in your house turn into a potential exit node, and … in addition to the privacy or the IP reputation concerns, there are potential legal repercussions,” Steven Guris, risk3sixty’s threat intelligence lead, said in the same interview.

In one case, the report cited a VSeeBox V5 Pro — a TV streaming product — purchased through Walmart that connected to a server based in China when powered on. It sent detailed device information and received commands that included the ability to install or uninstall apps, reboot the device and perform a factory reset. Walmart told the researchers that the product was no longer available on its site and that the company removes listings when violations are detected.

In another, the investigators signed up for Honeygain, a service marketed to students and other users as a way to earn extra money from unused bandwidth, and monitored how the connection was used. They observed traffic involving entities in China and Russia, including traffic tied to a U.S. Treasury Department-sanctioned bank, though the researchers said they found no indication that Honeygain knew how those connections were being used. Honeygain did not provide a statement for the report.

Residential proxies are sold through websites that openly advertise proxy access, by companies that bundle home internet connections from apps or devices and resell them and, in some cases, on dark web markets with guides for using them in fraud.

The findings call the illicit use of home internet connections the “blood diamonds” of the digital age, arguing that the market lets companies profit from connections that may have been gathered deceptively.

“By the time a blood diamond reaches a jewelry store it is several layers from the forced labor that mined the gem and funded civil wars. The jewelers that sold blood diamonds could perhaps claim ignorance, but major players had knowledge,” the report says. “The same is true for residential proxies. The retailers who ultimately sell IP connections to businesses, state actors and cybercriminals may not have sourced the connections, but they are part of an ecosystem built on deception and crimes.”

The FBI has previously warned that residential proxies can be cobbled together through free virtual private networks, compromised internet-connected devices, malware and passive-income apps that route other people’s traffic through users’ home connections. The bureau has taken steps to disrupt hackers that rely on proxy networks to hide their pursuits and plans to conduct more related takedowns.

But the report suggests the problem extends far beyond individual law enforcement activity. It estimates more than 20 million U.S. IP connections are collected each year for residential proxy services. Researchers also tracked roughly 26 million unique residential IP addresses over 30 days and found that nearly half appeared across multiple proxy providers, suggesting that once a home connection enters the market, it can be resold or reused across several platforms.

The DCA is launching a public awareness campaign around the issue, Galvin said. The alliance has also been engaging with U.S. officials to discuss the matter, though he declined to name specific agencies and individuals involved.

The campaign will include public service announcements and social media videos warning about risks from free apps, unauthorized streaming devices and aging home routers, along with guidance on filing complaints with the FBI’s Internet Crime Complaint Center. The group also plans to develop a free app that would let consumers check whether their IP connection has been hijacked, he said.

“We’re not moralists, but it is our job, we think, to tell people what are the risks, so they can make intelligent decisions,” Galvin said. “We just want them to know what they’re doing and when they’re doing it.”