The Cybersecurity Express – February 4, 2026

You arrive at the terminal without remembering how you got there. The schedule board flickers between languages, none of which make sense. A disembodied voice announces delays due to “unusual login activity,” followed by static. Around you, passengers wait in silence, holding tickets they didn’t purchase, glancing nervously at screens filled with CAPTCHAs they cannot solve.

A man in a badge—though no name, only a QR code—asks for your credentials. You provide them without knowing what they grant you. Somewhere behind frosted glass, keys are being rotated and access revoked. The train is coming, they tell you, but only if your session hasn’t expired. When it finally arrives—faceless, metallic, humming with audits and anomalies—you step on board. Not because you are certain it is your train, but because certainty no longer seems like a valid authentication factor.

How a “Temu-like*” Shop Purchase Almost Cost us 3000 EUR More

It all began innocently enough. My wife found a great deal on a trendy accessory from a popular low-cost Asian online marketplace. You know the kind—sleek interfaces, irresistible prices, and checkout processes that make it almost too easy to spend a few euros here and there. Within minutes of placing her order, she received the usual confirmation email. So far, so good.

But then came the second email. This one seemed to be from UPS, the courier allegedly handling her delivery. It looked official—corporate branding, polished language, even the familiar brown-and-gold logo. The message explained that her parcel was “slightly bulkier than anticipated” and an additional €1.25 would be needed to expedite the shipping. Just a minor surcharge, easily explained. What made the email especially convincing was its timing—it arrived within minutes of the purchase confirmation, creating the illusion of a seamless transaction trail.

Wanting to ensure her parcel wasn’t delayed, she clicked the link and attempted to pay. The payment failed. She tried again. And again. Eventually, she came to me, puzzled and frustrated, saying, “The payment won’t go through—even though I have enough money in my account!”

That’s when I took a closer look.

As someone who works in cybersecurity, I’ve seen plenty of phishing attempts, and this is where my mind jumped first. The page she had landed on mimicked UPS down to the pixel. But there were a few giveaways:

• The sender’s email address had nothing to do with UPS.
• The website URL—though cleverly disguised—had no association with UPS or any legitimate logistics domain.
• The original shopping site wasn’t mentioned anywhere in the message, which is odd for a parcel-related update.

Being of the aforementioned profession, I ran the suspicious domain through a few threat intelligence tools. Luckily, no malware was detected—this was a pure phishing scam focused on financial fraud. But when I inspected the transaction details on the fake payment page, I found the real kicker: the payment form wasn’t trying to authorize €1.25, for which my wife had “plenty of funds for”. It was attempting a transaction of over €3,000.

Suddenly, everything made sense. My wife’s card wasn’t being declined because she lacked €1.25—it was because she didn’t have thousands of euros available, but she failed to notice this little detail, by wanting her parcel expedited to her ASAP. What can I say, “lucky” we were broke for the rest of the month. Had the hacker asked for a slightly more “believable” amount—say €150 or €200— he would have had money in his pocket…

Once we understood what had happened, we immediately blocked the card and flagged the fraudulent website. Thankfully, no money was lost. My wife was mortified. “It seemed so real,” she said. “Now that you’re pointing it out, it’s obvious. But I just wanted my package.”

And that’s exactly how these scams work. They prey on timing, trust, and emotion—excitement over a new purchase, a sense of urgency, the desire not to miss out. They strike when you’re off guard.

The Hidden Cost of Cheap

This whole experience has made us think twice about these so-called bargain marketplaces. Platforms like Shein, Temu, Shopee, and other emerging budget-friendly Asian stores may dazzle with flashy deals and Instagram-ready gadgets, but those savings often come at a hidden cost:

• Your data privacy: These platforms may lack robust security practices, and some have been associated with sharing or selling user data.
• Environmental concerns: Fast production and shipping of ultra-cheap goods often result in massive carbon footprints and landfill overflow.
• Labor ethics: There have been persistent concerns about exploitative labor practices behind many of these ultra-low-cost items.

In our case, it seems the transaction information was either leaked or sold almost immediately after checkout—probably to the same cybercriminals who crafted the phishing attack. Was the online market hacked or did they deliberately sold data to the hackers to make up for the lost revenue on the items they sell basically for free? It didn’t matter, the damage was done!

You don’t need to be a cybersecurity professional to stay safe from these types of scams. Here are a few essential habits and tips to avoid falling into similar traps:

1. Stay calm and steady – Do not let your excitement get the best of you. Always treat any email you receive with due diligence.
2. Check the sender’s email address – Don’t rely on the name that shows in your inbox; check the full address to verify it comes from a legitimate domain.
3. Inspect URLs carefully – Always hover over links before clicking. Secure sites begin with “https://”, and domain names should exactly match official brand names.
4. Avoid clicking links in emails – For deliveries or account issues, go directly to the company’s official website or app to verify information.
5. Use virtual or disposable cards for online shopping – This limits the exposure of your primary bank accounts and reduces damage in case of fraud. Or always keep the bulk of your funds on a separate account, no the one that the payment card is linked to.
6. Enable two-factor authentication (2FA) – Especially on banking and email accounts, to block unauthorized access even if credentials are stolen.
7. Set transaction alerts on your cards – Being notified instantly of charges can help you react in real time to suspicious activity.
8. Educate your household – Scammers target everyone, not just tech-savvy professionals. A little awareness goes a long way.
9. Use password managers – These can help ensure you never reuse passwords and can detect fake login pages.
10. Report phishing attempts – Alert your email provider or the impersonated company. You may save others from falling into the same trap.
11. Trust your gut – If something feels off, pause. No reputable courier will demand urgent payment through a link for €1.25.

Cybersecurity isn’t just a professional concern—it’s a household one. Today’s scams are more believable and more targeted than ever, especially when fueled by the vast troves of personal data floating around online marketplaces. What appears to be a minor surcharge for a parcel may actually be a Trojan horse for financial theft.

Next time you’re tempted by an “unmissable” online deal, remember: if the price seems too good to be true, the real cost might show up in your inbox shortly after.

Disrupting the World’s Largest Residential Proxy Network: Inside the IPIDEA Takedown

Google’s Threat Intelligence Group (GTIG) and partners recently executed a coordinated operation against what they assess to be the world’s largest residential proxy network, operated under the IPIDEA umbrella. The effort combined legal action, technical disruption, and platform-level enforcement to degrade a sprawling infrastructure that quietly hijacked millions of consumer devices as proxy exit nodes for cybercrime and espionage.

How Residential Proxy Networks Work

Residential proxy services sell access to IP addresses assigned by ISPs to home users and small businesses, letting customers route traffic through ordinary consumer devices to conceal the true origin of their activity. Operators need code running on these devices to enroll them as exit nodes, either via preloaded software on uncertified hardware or via trojanized applications that embed proxy functionality in seemingly benign apps.

In the IPIDEA ecosystem, users were often not clearly informed that installing such apps effectively turned their phone, PC, or set-top box into a relay for third‑party traffic. Some users were enticed with “monetize your unused bandwidth” schemes, while others unknowingly joined the network after installing utilities, games, or “free VPN” software. Once enrolled, the device’s network bandwidth and IP address were sold to paying customers, including a wide range of threat actors.

GTIG’s telemetry showed that these residential proxies were extensively abused for:

• Accessing victim SaaS environments and on‑prem infrastructure.
• Large‑scale password spraying and account takeover attempts.
• Command-and-control (C2) for botnets and information operations.

In a single week in January 2026, more than 550 tracked threat groups—including actors linked to China, DPRK, Iran, and Russia—used IPIDEA exit nodes to mask their operations.

The IPIDEA Brand Web and SDK Monetization

Google’s analysis concluded that multiple ostensibly independent proxy and VPN brands were controlled by the same operators behind IPIDEA. These included, among others:

• 360 Proxy (360proxy.com)
• 922 Proxy (922proxy.com)
• ABC Proxy (abcproxy.com)
• Cherry Proxy (cherryproxy.com)
• Door VPN (doorvpn.com)
• Galleon VPN (galleonvpn.com)
• IP2World (ip2world.com)
• Ipidea (ipidea.io)
• Luna Proxy (lunaproxy.com)
• PIA S5 Proxy (piaproxy.com)
• PY Proxy (pyproxy.com)
• Radish VPN (radishvpn.com)
• Tab Proxy (tabproxy.com)

The same operators also controlled software development kits (SDKs) explicitly designed to be embedded into other apps, not run standalone. These SDKs—Castar SDK (castarsdk.com), Earn SDK (earnsdk.io), Hex SDK (hexsdk.com), and Packet SDK (packetsdk.com)—were marketed as monetization components for Android, Windows, iOS, and WebOS. Developers integrating them were typically paid per download.

Once an SDK was integrated, any app using it would silently enroll the device into the IPIDEA proxy network as an exit node, in addition to whatever its “real” functionality was. Prior research had already shown off-brand Android Open Source Project devices (e.g., cheap set-top boxes) shipping with hidden residential proxy payloads.

Two-Tier Command-and-Control Architecture

Static and dynamic analysis of SDK-embedded apps and standalone SDK binaries revealed a two-tier C2 model that coordinated proxy nodes and routed traffic.

Tier One: Bootstrap and Tasking Metadata

At startup, the SDK contacts one of several Tier One domains, sending device diagnostics either as HTTP GET query parameters or via HTTP POST body, depending on the SDK and domain. The payload includes:

• OS information (os=android)
• SDK version (v=1.0.8)
• Device serial or unique ID (sn=…)
• Device tag / model (tag=OnePlus8Pro…)
• Affiliate or customer key (key=cskfg9TAn9Jent)
• Application identifier (n=tlaunch)

Example request:

os=android&v=1.0.8&sn=993AE4FE78B879239BDC14DFBC0963CD&tag=OnePlus8Pro%23*%2311%23*%2330%23*%23QKR1.191246.002%23*%23OnePlus&key=cskfg9TAn9Jent&n=tlaunch

The Tier One response is a JSON document specifying:

• Scheduling parameters (e.g., schedule, thread, heartbeat)
• The IP addresses of Tier Two nodes to poll
• Node metadata such as network type and port pairs for connect/proxy operations

Example response:

{“code”:200,”data”:{“schedule”:24,”thread”:150,”heartbeat”:20,”ip”:[redacted],”info”:”US”,”node”:[{“net_type”:”t”,”connect”:”49.51.68.143:1000″,”proxy”:”49.51.68.143:2000″},{“net_type”:”t”,”connect”:”45.78.214.188:800″,”proxy”:”45.78.214.188:799}]}}

Tier Two: Direct Proxy Control

Tier Two servers are provided as connect and proxy IP:port pairs. The device periodically sends encoded JSON over TCP to the connect port to poll for tasks:

{“name”: “0c855f87a7574b28df383eca5084fcdc”, “o”: “eDwSokuyOuMHcF10”, “os”: “windows”}

When a task is issued, Tier Two responds with a fully qualified domain name (FQDN) and a connection ID, for example:

www.google.com:443&c8eb024c053f82831f2738bd48afc256

The SDK then connects to the proxy port on the same Tier Two server, sends the connection ID (e.g., 8a9bd7e7a806b2cc606b7a1d8f495662|ok), and begins proxying arbitrary TCP payloads between the Tier Two node and the destination host. The payload itself is forwarded unmodified.

GTIG identified roughly 7,400 Tier Two nodes in active rotation, dynamically scaled based on demand and distributed globally, including within U.S. infrastructure.

Infrastructure Overlaps Across SDK Families

Each SDK family used distinct Tier One C2 domains, but analysis showed all funneled into the same Tier Two pool. Examples include:

• PacketSDK: http://{random}.api-seed.packetsdk.xyz/.net/.io
• CastarSDK: dispatch1.hexsdk.com, plus multiple hash-based .com domains
• HexSDK: downloads redirecting to castarsdk.com, indicating identical payloads
• EarnSDK: domains such as holadns.com, martianinc.co, okamiboss.com, plus numerous hash-like domains and a .uk domain associated with the earlier BadBox2.0 botnet litigation.

These overlaps confirmed that the apparently separate monetization brands were part of a single, tightly coordinated residential proxy infrastructure.

Trojanized Software on Windows and Android

GTIG and partners identified 3,075 unique Windows PE file hashes making DNS queries to Tier One domains during dynamic analysis. Among these were:

• Monetized proxy exit-node software (PacketShare).
• Trojans impersonating legitimate binaries such as OneDriveSync and fake Windows Update components.

On the Android side, over 600 applications across multiple download sources (beyond official app stores) contained code invoking Tier One C2 endpoints. These apps generally offered benign functionality—utilities, content apps, games—but quietly integrated monetization SDKs that enlisted devices into IPIDEA’s proxy network.

IPIDEA operators also distributed free VPN-branded apps—such as Galleon VPN and Radish VPN—that did provide VPN-like behavior but simultaneously turned devices into exit nodes via embedded Hex or Packet SDK logic, without clear disclosure.

Risks to Compromised Users

For end users, becoming an exit node poses both security and reputational risks. Because attack traffic is routed through their IP address, their accounts or home network may be flagged, rate-limited, or blocked by services detecting abuse. Worse, proxy software that both sends and receives unsolicited traffic can expose local devices on the same LAN, effectively punching a hole in the home firewall and making internal services reachable from the public internet. GTIG confirmed that IPIDEA’s software did not merely forward traffic but also accepted inbound traffic destined to the device, expanding the attack surface of the host and its network.

Google’s Disruption Campaign

The takedown effort involved several coordinated actions:

• Domain seizures and legal measures to neutralize C2 and marketing domains associated with IPIDEA’s brands and SDK infrastructure.
• Platform protections for Android, where Google Play Protect now automatically warns users, uninstalls known IPIDEA‑linked apps on certified devices, and blocks future installation attempts of apps embedding these SDKs.
• Industry collaboration with Spur, Lumen’s Black Lotus Labs, Cloudflare, and other partners to map the ecosystem and disrupt DNS resolution for key domains, hindering both C2 and commercial operations.

GTIG estimates that these actions reduced the available pool of residential proxy devices by millions, causing substantial degradation of IPIDEA’s network capacity and business operations. Given the practice of proxy providers reselling each other’s device pools, the impact likely propagates across multiple affiliated brands in the broader residential proxy “gray market.”

Takeaways and Mitigations

From a defensive perspective, the operation highlights several priorities:

• Treat “bandwidth sharing” and monetization SDKs as high‑risk; organizations should restrict such apps via MDM, EDR application control, and store allowlists.
• Monitor for traffic to known Tier One domains and anomalous outbound TCP flows to unusual IP:port pairs, particularly where internal devices act as unsolicited intermediaries.
• For consumers, stick to reputable app stores, avoid apps that pay for “unused bandwidth,” and verify devices (e.g., Android TV boxes) are Play Protect certified when possible.

Google has published a comprehensive Indicators of Compromise (IOCs) collection for registered GTI users to assist defenders in hunting for IPIDEA-related activity. While this disruption severely weakened one of the largest residential proxy networks to date, the underlying business model remains attractive to both operators and threat actors—meaning defenders should expect similar infrastructures to persist and evolve.

This wraps up today’s issue. Wherever you are out there in the digital world just stay safe, install the latest patches and keep a watchful eye out for anything that might want to deceive you. Thank you so much for being a wanderer on The Cybersecurity Express and we look forward to welcoming you on board the next time.

* Disclaimer: Mentioning of a “Temu-like” shop, does NOT mean that this purchase was made on Temu, nor that something similar would happen should you purchase on Temu. In our context “Temu-like” means any Asian owned online shop that sells extremely cheap items. This choice of words is because Temu is the most famous Asian owned shop that many people know of. We never shopped on Temu and do not know anyone that did and had a similar experience. We do not intend to tarnish such store’s reputation. Should Temu find this use of their name is inappropriate, we will redact the article, if notified.