17 million devices for rent: tracing a residential-proxy botnet from one cracked game

I got bored on a forum doing arithmetic on ‘millions of residential IPs’, ended up reverse-engineering a botnet’s C2 from one infected phone, and reported it. The whole messy thread — and where it led.

June 26, 2026 · 14 min · Vitalii Zaiats

From a proxy pool's torrents to a booby-trapped game

I chased a residential proxy pool’s own download habits down to one cracked driving game, and found a build that’s a confirmed ad-fraud carrier hiding an encrypted payload I still can’t prove is proxyware.

May 31, 2026 · 8 min · Vitalii Zaiats

Coordinated disclosure: CCTV cameras selling their owners' bandwidth

How I passively fingerprinted hacked Dutch CCTV cameras being resold as residential proxy exit nodes — and reported them to NCSC-NL without ever touching a single box.

April 15, 2026 · 5 min · Vitalii Zaiats

The iOS proxy ghost: why you can't find an iPhone in a residential pool

Turns out the iPhone on every proxy provider’s landing page is the one device that basically can’t be in the pool — and that absence is exactly what makes a real iOS fingerprint a trustworthy “human here” signal.

April 3, 2026 · 4 min · Vitalii Zaiats

TCP-fingerprinting 300K residential proxy IPs: 98% are Linux

Probed 319,706 residential-proxy exits by their TCP SYN fingerprints — 98% Linux, two kernel defaults covering 70%+, MSS leaking the real link, and a handful of big ISPs — showing the “real user devices” are mostly a rack of Linux boxes.

March 26, 2026 · 4 min · Vitalii Zaiats