threat_intelligence413 wordsRead on Arc Codex

Internet Integrity Workshop III: Residential Proxies and Infected Infrastructure

The GCA Internet Integrity Program convened the Internet Integrity Workshop III on 18 May 2026 at the Edinburgh International Conference Centre, under the Chatham House rule. The session brought together network operators, Internet Service Providers (ISP) engineers, security researchers, threat intelligence providers, and members of the Internet coordination community from across Europe, Asia, North America, and Latin America. This new report, “Internet Integrity Workshop III: Residential Proxies and Infected Infrastructure,” examines the proceedings and strategic analysis of the event. The workshop examined one of the most significant and rapidly growing threats to Internet infrastructure: abuse of residential proxy networks, which have grown to an estimated 100–200 million exit nodes globally, generating aggregate capacity in the hundreds of terabits per second. These networks — built on compromised consumer devices, supply-chain-implanted malware, and uninformed Software Development Kit (SDK) consents — are increasingly used for AI training and are enabling attacks that range from credential stuffing to nation-state intelligence gathering. There was strong consensus among the participants that the most scalable mitigation lever is not cleaning up infected devices — an unworkable problem at the scale of hundreds of millions — but disrupting the control plane: the concentrated infrastructure that connects exit nodes to paying customers. For commercial proxy networks, this means targeting the small number of back-connect relay operators (approximately 6–8 globally) that aggregate exit-node pools; for malware botnets, it means targeting the command-and-control (C2) servers that coordinate infected devices. Both are technically feasible, deployable via standard routing mechanisms, and economically compelling once framed correctly. This report summarizes the workshop discussions and identifies five possible longer-term directions for the community that flow directly from the workshop findings. These represent areas where sustained, collective effort — across operational, research, policy, and civil society actors — is needed to produce a durable change. | Key Findings at a Glance | | |---|---| | The Scale 100–200M residential exit nodes globally; hundreds of Tbps aggregate capacity; growing rapidly since late 2024, driven by AI demand. | The Control Plane The scalable mitigation lever is not infected devices but the concentrated control plane: ~6–8 back-connect relay operators for commercial proxies; C2 servers for botnets. | | The ISP Lever Security arguments haven’t moved ISPs. A financial case — ISPs are giving bandwidth away to commercial proxy operators — is the most actionable engagement lever. | The Critical Gap No public, dynamic resource identifying control-plane infrastructure exists. This is explicitly identified as the single most critical missing operational resource. |

How it works

Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content — general knowledge won't be enough. Score 70+ to count toward your certificate.

Questions are cached — you'll always get the same 5 for this article.