Smartproxy.org Impersonates Our Brand And Routes Users Into IPs Tied To IPIDEA

The impersonation behind Smartproxy.org

A couple of months ago, we wrote about the broader pattern of digital squatting against our brand and others, and we recommend that piece for the wider context. This article narrows in on a single case that has now taken on a different shape, where the impersonator appears to be operating on top of infrastructure with an unusually difficult security history.

Anyone searching for our company in 2026 may still see the old name surface. We operated as Smartproxy for seven years and built a global customer base under that brand before the move to Decodo. That brand equity attracted impersonators registering smartproxy.org and smartproxy.cn, neither of which has any connection to us, our infrastructure, or our team. The lookalikes monetize traffic that was originally searching for the legitimate provider.

What used to be a customer-confusion problem has now become a security and ethics problem, and the data is public.

What researchers found

Back in February, Proxyway published a test of Smartproxy.org’s residential IP pool using a methodology that any paying user could replicate. We’re summarizing the findings because the effects run beyond our brand and reach the wider proxy industry.

How the testing worked

Proxyway purchased a standard weekly unlimited residential plan on Smartproxy.org, the same product available to any retail buyer, and sent approximately 6.96M HTTP requests through it across one week. Every request landed on an IP-checking endpoint that logged the exit address. After deduplication, the pool surfaced 2,023,029 unique IPs, with 2,019,488 IPv4 and 3,541 IPv6 addresses. The success rate sat at 90.25%, in line with what the service advertises.

To evaluate where those IPs came from, Proxyway compared the pool against a published IPIDEA reference dataset of 16,192,293 verified IPIDEA exit nodes, observed during the 30 days ending January 29, 2026. The dataset was compiled by Antoine Vastel, VP of Research at DataDome and a researcher with a long publication record on residential proxy detection. Vastel built the dataset by routing traffic through IPIDEA endpoints himself and confirming each IP as a working exit node, not by harvesting marketing claims. The breakdown sat at PyProxy 13.4M IPs, PIA S5 Proxy 2.2M, and Luna Proxy roughly 549K.

The overlap is clear

The comparison surfaced 773,087 IPs present in both pools. That equates to 38.21% of Smartproxy.org’s pool and 4.77% of the IPIDEA dataset.

To put that in context, IPinfo’s research on residential pool churn estimates monthly IPv4 retention in residential proxy pools at around 40%, meaning roughly 4 in 10 IPs visible this month will still be there next month, while the rest rotate out. Two pools sourcing IPs from genuinely independent SDKs, apps, and consumer device populations shouldn’t be expected to share anything close to 38% of their IPs across a few-week observation window. The IPv4 address space is more than 4B addresses wide. Random overlap at this scale would be a statistical anomaly. Shared sourcing, by contrast, would explain the data cleanly.

The pool-size ratio is also telling. Smartproxy.org’s 2M IP pool is roughly an eighth of the size of Vastel’s IPIDEA dataset, the proportion that fits a downstream relationship where one provider draws from a portion of a larger upstream pool. The simplest reading of the Proxyway data is that Smartproxy.org sources a substantial share of its IPs from infrastructure tied to IPIDEA.

The IPIDEA infrastructure underneath

To understand why the overlap matters, it helps to look at what IPIDEA actually was, because the takedown details published by Google in January 2026 give the clearest public picture the industry has had of how a network of this kind operates.

A network recruited without consent

On January 28, 2026, Google’s Threat Intelligence Group announced coordinated action against IPIDEA, working alongside Cloudflare, Spur, and Lumen’s Black Lotus Labs. Google described IPIDEA as one of the largest residential proxy networks in the world, with a presence reaching millions of consumer devices.

The recruitment mechanism is what made IPIDEA so effective and so dangerous. Google identified 4 SDK families controlled by IPIDEA, called Castar SDK, Earn SDK, Hex SDK, and Packet SDK, all marketed to app developers as monetization libraries that paid on a per-install basis. Once embedded in mobile or desktop applications, the SDKs enrolled the host device as a proxy exit node, often without the device owner being aware that their internet connection was now routing third-party traffic. Google identified 600+ Android applications and 3K+ Windows programs containing IPIDEA code at the time of the takedown, with some applications impersonating themselves as utilities like OneDriveSync or Windows Update.

In its announcement, Google addressed the ethical claims of the wider residential proxy industry directly, writing that while many providers state their IPs are sourced ethically, the analysis showed those claims to be often incorrect or overstated, and that many of the malicious applications studied didn’t disclose that they enrolled devices into the proxy network at all.

A 2-tier command-and-control system

IPIDEA wasn’t a loose collection of brands sharing IPs by accident. According to eSecurity Planet’s reporting on the takedown, the network ran on a centralized 2-tier command-and-control architecture. Enrolled consumer devices contacted domain-based servers in Tier 2 to send diagnostics and receive configuration. Those instructions then directed traffic to roughly 7.4K Tier 2 servers responsible for routing the actual proxy connections. Despite operating under more than a dozen brand storefronts, the entire system pulled from a single shared pool of Tier 2 infrastructure, which is what allowed researchers to confirm the brands were centrally managed rather than independently sourced.

The brand list IPIDEA controlled or was closely associated with included PyProxy, PIA S5 Proxy, LunaProxy, ABCProxy, 360Proxy, 922Proxy, Cherry Proxy, IP2World, TabProxy, Galleon VPN, and Radish VPN, among others. This is the dynamic that makes shared sourcing hard to spot from the outside. Storefronts can be relaunched, marketing pages can be redesigned, and the parent company can stay invisible, but the underlying device pool stays the same.

The threat actors using the network

During a single 7-day period in January 2026, Google’s Threat Intelligence Group observed 550+ individual threat groups using IPIDEA exit nodes to obfuscate their activity, including operators based in China, North Korea, Iran, and Russia. The activities ranged from access to victim SaaS environments and on-premises corporate infrastructure to password spray attacks at scale.

John Hultquist, chief analyst at Google’s Threat Intelligence Group, described the strategic stakes in comments to The Hacker News: “Residential proxy networks have become a pervasive tool for everything from high-end espionage to massive criminal schemes. By routing traffic through a person's home internet connection, attackers can hide in plain sight while infiltrating corporate environments.” Hultquist further told the publication that residential proxies have shown up frequently in incidents involving Russian and Chinese cyber espionage, and have been used by APT28 and Sandworm as well as Volt Typhoon. The same network has also reportedly supported the BadBox 2.0, Aisuru, and Kimwolf botnets at various points.

Google also flagged a risk specific to the device owners themselves. The Threat Intelligence Group’s analysis found that IPIDEA proxy software didn’t just route traffic out through the host device. It also routed traffic into the device, with the goal of compromising it. Put simply, if a household’s router or laptop got pulled in, it was sharing bandwidth and letting active probing happen across everything else on the local network.

The fragmentation illusion in residential proxies

One of the more useful framings to come out of the IPIDEA disclosures involves a piece of research from threat intelligence firm Sekoia, surfaced in Help Net Security’s coverage of the takedown. Sekoia’s analysts concluded that the residential proxy market is far more concentrated than its public surface suggests, with much of its apparent fragmentation amounting to an illusion.

That conclusion is reinforced by analysis published in The Web Scraping Club newsletter, which estimates that there are only around 7 truly unique residential proxy networks operating globally, despite hundreds of brands competing in the market. Most of what looks like a vibrant, competitive provider landscape is, on the back end, the same handful of underlying networks resold under different storefronts.

The effect on buyers? A constant confusion. Different providers can market themselves as completely unrelated, host their websites in different jurisdictions, advertise different country coverage, charge different prices, and still draw their IPs from the same compromised device pool.

What this means for users searching for our brand

We take the impersonation seriously because the consequences for buyers go beyond losing money to a low-quality knockoff. Anyone routed through Smartproxy.org’s pool is potentially sharing exit IPs with the same infrastructure that Google’s Threat Intelligence Group documented being used by hundreds of state-sponsored and criminal threat groups in a single observation week.

• IP reputation contamination. Anti-bot systems used by major websites maintain cross-context reputation scores for IPs. Addresses recently associated with botnet operations, password spraying, or credential abuse are more likely to be challenged or blocked even when used afterward for benign purposes. For ad verification, price intelligence, and SEO monitoring, contaminated IPs translate directly into degraded data quality and higher block rates.
• Ethical exposure. A meaningful share of IPIDEA’s exit nodes were enrolled through SDKs embedded in apps that didn't adequately disclose the proxy enrollment. Users routing through that pool are using devices whose owners didn’t knowingly agree to act as proxies, a position that carries reputational risk and can attract regulatory attention in jurisdictions with active digital consent enforcement.
• Service durability. Google’s enforcement against IPIDEA was explicitly described as a network-level disruption with downstream impact on resellers, and Google has continued enforcing through Play Protect on Android. Any service drawing on that infrastructure faces ongoing risk of pool shrinkage without warning, which is operationally untenable for any team running data collection at scale.

In our experience, the users most likely to land on Smartproxy.org are those who heard about Smartproxy years ago, didn’t learn about the rebrand, and trusted a search result that surfaced a similar-looking domain. Our public position is direct. The only places to find us are decodo.com globally and decodo.cn in China. The impersonators are using smartproxy.org and smartproxy.cn to trick users into buying low-quality proxies.

Vaidotas Juknys, CEO at Decodo, explained how we view this specific intersection of impersonation and infrastructure: “When an impersonator uses our former brand name, that’s one problem. When the impersonator is also drawing IPs from a network that Google has just publicly disrupted for facilitating cybercrime and espionage, that’s a different problem entirely. The buyer thinks they’re getting a residential proxy. What they’re actually getting may be a slot inside infrastructure that over 500 threat groups were using last week. And nobody in the web data intelligence industry should stay quiet.”

How we’re responding to the impersonation

Our response to Smartproxy.org sits across several tracks. The legal track is ongoing through the standard channels available to trademark holders. The customer-communication track involves the kind of work this article represents, where we surface the situation publicly so buyers searching for our former brand have an authoritative reference to compare against the impersonator's claims. On the product track, our long-standing ethical residential proxy sourcing and usage policy remains unchanged – something we believe should become an industry baseline.

Vaidotas Juknys, CEO at Decodo, said the industry is at a turning point – either keep treating proxy sourcing as a black box and face more public crackdowns, or move to transparent, auditable standards. “We’ve chosen transparency, and we expect customers to demand it. The Smartproxy.org case shows what happens when a name is copied, but ethics aren’t.”

Bottom line

Smartproxy.org is not connected to us – it’s an impersonator, and research from Proxyway potentially links it to infrastructure associated with IPIDEA, which Google disrupted in 2026 over serious abuse concerns. The takeaway is simple: buyers need to stay vigilant when evaluating providers, and the industry, especially cybersecurity organizations, should treat brand impersonation as a serious risk, not a side issue.