Infoblox has published research showing that more than 65% of its enterprise customers made queries to domains linked to residential proxy networks, indicating that such traffic is already common in business environments.
The study, conducted by Infoblox Threat Intel with Synthient, drew on billions of DNS resolutions and network telemetry across the customer base. It expanded on earlier work on the Kimwolf botnet, which found that roughly 25% of customers had the Kimwolf domain on their networks.
Residential proxies route internet traffic through consumer devices, including home routers, mobile phones, internet-of-things devices, and systems running software that includes proxyware. This can make traffic appear to come from an ordinary user rather than a datacentre. The feature can be used for lawful activities such as web scraping or access to geographically restricted content, but also by attackers seeking to evade fraud controls and reputation-based filtering.
For companies, the issue lies as much in the source of the traffic as in the traffic itself. If a third party detects harmful activity coming from an organisation's IP space, that organisation may be treated as the source, creating reputational, legal, and operational risks.
Rising traffic
Monthly queries to residential proxy domains rose from nearly 400 billion in January 2025 to more than 500 billion in April 2026, an increase of about 25% over 16 months.
Infoblox linked part of that rise to AI-related web scraping, in which operators use residential proxies to make automated traffic appear to come from ordinary consumers. These services often enter corporate environments through widely used applications and devices rather than clearly malicious software.
Free virtual private network services, streaming apps, screensavers, productivity apps, and low-cost connected devices were among the common routes identified in the research. Users may agree to the underlying terms without fully understanding that their systems can then be used as part of a proxy network.
The data suggests the issue is not confined to one or two sectors. At least 40% of customers in every industry vertical showed residential proxy-related DNS activity.
Some sectors recorded much higher rates. More than 90% of pharmaceutical and food and beverage customers showed the traffic, while the figure was above 60% for government and banking customers.
Security burden
Beyond the direct exposure, proxy-related traffic can generate heavy alert volumes for security teams, increasing the workload for defenders already dealing with large numbers of warnings and limited resources.
Infoblox argued that the problem is often hard to spot because the traffic may be tied to ordinary consumer software and devices rather than malware that would attract immediate scrutiny. As a result, organisations may not know whether residential proxy services are present in their networks, how they arrived, or what risks they create.
Dr Renée Burton commented on the implications of the findings.
"Residential proxies allow an external party to leverage your resources to commit crime and wreak havoc on the internet using your reputation and IP address identity. In most cases, these access points are technically created with user consent through the acceptance of software terms and conditions. But details are often buried in legalese, many pages into a document. Policy makers need to look at the dangers residential proxies pose to the internet, requirements for informed consent, and the role proxy service providers should play in preventing abuse. Enterprises need a multipronged approach to tackle the threat today, one of which should be protective DNS to control connections to unwanted proxy services," said Dr Renée Burton, Vice President of Infoblox Threat Intel at Infoblox.
The findings add to a broader debate over accountability for traffic routed through consumer devices and software. They also highlight a challenge for companies whose networks may be participating in proxy activity without the knowledge of end users or security teams.
Infoblox's earlier Kimwolf research had already indicated that residential proxy activity was present in business networks. The latest analysis suggests the scale is far wider, with related DNS activity now visible across a majority of the company's enterprise customer base.
The research was based on customers using Infoblox Threat Defence Cloud. Within that group, more than 65% showed residential proxy-related DNS activity in 2026, and every industry segment examined recorded a rate of at least 40%.