The Aisuru botnet has transitioned from launching large-scale distributed denial-of-service (DDoS) attacks to operating as a residential proxy service. This strategic shift enables cybercriminals to anonymize traffic for various illicit activities, including extensive data harvesting for artificial intelligence (AI) projects. The botnet leverages a network of compromised Internet of Things (IoT) devices to mask the origins of malicious online activity, facilitating a new wave of cybercrime.
Initially identified in August 2024, Aisuru has compromised at least 700,000 IoT systems, including poorly secured routers and security cameras. While previously known for its headline-grabbing DDoS attacks, which reached capabilities of nearly 30 terabits per second and caused significant disruption to U.S. and European Internet service providers (ISPs), the botnet’s operators have updated their malware to support a more consistent revenue stream through residential proxies. For instance, in June, Aisuru executed a DDoS attack against KrebsOnSecurity.com that clocked at 6.3 terabits per second, which Google mitigated as the largest at the time.
Roland Dobbins, principal engineer at Netscout, highlighted the profound impact of sustained outbound traffic from infected Aisuru nodes. “Multiple broadband access network operators have experienced significant operational impact due to outbound DDoS attacks in excess of 1.5Tb/sec launched from Aisuru botnet nodes residing on end-customer premises,” Dobbins stated in an executive summary on Aisuru. This level of traffic can severely disrupt or degrade internet service for legitimate customers.
The Rise of Residential Proxy Services
Residential proxy services allow users to route internet communications through someone else’s device, making them appear as a regular user from a residential IP address. While these services have legitimate business applications, cybercriminals frequently exploit them to conceal activities such as advertising fraud and credential stuffing. Riley Kilmer, co-founder of spur.us, a service that monitors proxy networks, observed an “insane” growth in this area, noting, “in the last 90 days we’ve seen 250 million unique residential proxy IPs.” This unprecedented surge in available proxies is partly driven by the demand for large-scale content scraping, particularly for feeding raw data into large language models (LLMs) supporting various AI projects.
AI’s Role in Data Harvesting and Mitigation Efforts
Aggressive data collection for AI is becoming increasingly challenging to mitigate. Kilmer emphasized that AI-related scrapers often rely on residential proxies to access content behind login pages or restricted platforms. “Where the cost of data is out of reach… they’ll turn to residential proxies so they look like a real person accessing that data,” he explained. This activity has led to AI crawlers overloading community-maintained infrastructure, with some open-source projects experiencing up to 97 percent of their traffic from AI company bots. This surge increases bandwidth costs and causes service instability. Cloudflare is experimenting with “pay-per-crawl” tools to allow content creators to charge AI crawlers for access. The social media platform Reddit also sued Oxylabs and other proxy providers in October, alleging their systems enabled mass scraping despite Reddit’s protective measures. For related insights on AI’s impact on cybersecurity, see our article on Microsoft Discovers SesameOp: A New Backdoor Using OpenAI’s Assistants API for Covert C2.
Beyond Aisuru: Other Proxy Botnets
The proliferation of residential proxies extends beyond Aisuru. The FBI’s Internet Crime Complaint Center (IC3) warned in June 2025 about the BADBOX 2.0 botnet, which has compromised millions of IoT devices such as smart-TV boxes and digital projectors. These devices become infected either through pre-installed malicious software or by downloading malicious applications from unofficial marketplaces. They subsequently become part of proxy services used for criminal activities like large-scale ad fraud. Google filed a lawsuit in July against the alleged perpetrators of the Badbox botnet, asserting it compromised over 10 million uncertified Android devices lacking Google’s security protections. For more information on financial cybercrime, refer to our report on Canada Fines Cryptomus Over $176 Million for AML Violations Tied to Cybercrime.
The residential proxy ecosystem is complex, with many lesser-known services evolving into interconnected bandwidth resellers. Benjamin Brundage, founder of Synthient, a startup detecting proxy networks, explained that most proxy services utilize software development kits (SDKs) bundled with other apps, quietly modifying user devices to relay traffic. Brundage identified the “HK Network,” primarily operated by China-based IPidea, as the world’s largest residential proxy service. This network encompasses multiple brands, including ABCProxy, Roxlabs, LunaProxy, and Yilu Proxy, and aggressively recruits resellers through “free” VPN services that turn user devices into traffic relays. This model mirrors the defunct 911S5Proxy service, whose alleged owner, Yunhe Wang, was arrested in May 2024 by the U.S. Department of Justice for operating a network used in billions of dollars of financial fraud.
The shift in botnet operations towards residential proxies illustrates an evolving cyber threat landscape. This adaptation to new demands presents ongoing challenges for cybersecurity professionals and regulatory bodies worldwide.