The Residential Proxy Network the FBI Won't Name. We Have 1,360 IOCs.

# The Residential Proxy Network the FBI Won't Name. We Have 1,360 IOCs.

On March 12, 2026, the FBI issued advisory PSA260312. The subject: criminal actors and nation-state operators are systematically abusing residential proxy networks to conduct cyberattacks while appearing to originate from ordinary household internet connections — Comcast in Ohio, Spectrum in Florida, BT in the UK.

Your firewall doesn't flag those.

We started indexing this infrastructure in February. By the time the FBI published the advisory, we had 1,360 indicators from a single cluster already in our feed.

Why Residential Proxies Are Dangerous

Most threat intelligence is built around datacenter IP reputation. When an attack comes from AWS, DigitalOcean, or Linode, your firewall recognizes the ASN and applies risk scoring accordingly. Datacenter traffic carrying malicious patterns gets flagged or blocked.

Residential proxies route traffic through real consumer IP addresses — devices in actual homes on actual broadband subscriptions. The traffic carries the reputation of those households. There is no datacenter ASN to block. The IP looks identical to a legitimate user browsing from their living room couch.

Attackers buy access to these networks through proxy resellers. Some are legitimate commercial services that consumers unknowingly enrolled in via "free" apps. Some are botnets — compromised routers and home devices operated without the owner's knowledge. PSA260312 identifies both categories as active abuse vectors for credential stuffing, network reconnaissance, phishing infrastructure hosting, and command-and-control relay.

The FBI's advisory warns organizations to stop treating residential IP space as implicitly trusted. Most have not yet received that message.

The Cluster We Found

Starting February 13, 2026, our PreCog V2 novel domain detection began flagging a family of domains with a distinctive construction: web-proxy-[number].[Italian or French word].in.net.

The naming convention is deliberate obfuscation. The domain names are built from European vocabulary that sounds technical and plausible — fortezzablu (Blue Fortress), fortezzarossa (Red Fortress), vittoriastrada (Victoria Street), bleusoleil (Blue Sun), vitasicura (Safe Life). The numbers in the subdomain suggest legitimate proxy infrastructure. The .in.net TLD is registered through a private registrar with minimal enforcement and very low legitimate domain density, making it cheap to register in bulk.

By March 19, we had catalogued the following active infrastructure:

web-proxy-88.fortezzablu.in.net — first seen March 14

web-proxy-99.vittoriastrada.in.net — first seen March 13

web-proxy-12.bleusoleil.in.net — first seen March 14

web-proxy-v.vitasicura.in.net — first seen March 14

web-proxy-alt.fortezzarossa.in.net — first seen March 15

web-proxy-808.acustica-v.in.net — first seen March 18

web-proxy-707.faser-tech.in.net — first seen March 19

One entry stood out: https://web-proxy-88.fortezzablu.in.net/verification.google. The /verification.google path is the same pattern used by phishing infrastructure to add apparent legitimacy — it is not a real Google verification endpoint. The page title or redirect makes it look like a Google-affiliated service. Victims who check the URL see a recognizable path component and don't dig further.

Total cluster size in our index: 1,360 indicators across the full web-proxy family.

The .coupons Connection

Three days before the proxy cluster began appearing, our PreCog sweep flagged signal.clint9vargo.coupons — the Signal-impersonating phishing domain linked to Russian intelligence QR code campaigns documented in PSA260320.

The domain is using the same TLD strategy. Both signal.clint9vargo.coupons and internal-web-proxy.plum5parcel.coupons (indexed February 16, three days after the Signal domain) were registered under .coupons — a TLD that legitimate businesses rarely use, that carries no default browser warnings, and that has a very high malicious-to-legitimate ratio relative to its small registration base.

The same actor, or the same infrastructure operator, was standing up Signal phishing infrastructure and residential proxy relay infrastructure within the same 72-hour window in February. They are using the same TLD playbook across campaigns.

We wrote about the Signal campaign separately. The IOC predated PSA260320 by 35 days. This one predated PSA260312 by 25 days.

What This Means for Detection

The FBI's advisory is correct about the threat but cannot solve the detection problem for you. The problem is structural: residential IP reputation is clean by definition, so you cannot block based on reputation alone.

What you can block is the infrastructure behind the proxy. The web-proxy-XX.[word].in.net domains are not residential IP addresses — they are the command-and-control and relay infrastructure that routes the traffic. If your DNS filter or SIEM blocks those domains, you block the relay chain before the residential IP ever appears in your logs.

Our STIX feed carries all 1,360 indicators from this cluster. If you are pulling our feed, your users could not have resolved those domains. The traffic never reaches your logs wearing a residential IP disguise, because the relay itself is blocked upstream.

How PreCog Caught It

Our Novel Domain Detector flags newly-registered domains that match three criteria: low-to-no legitimate traffic history, brand-impersonation or infrastructure-impersonation naming patterns, and registration through TLDs with elevated malicious density relative to legitimate registrations.

The .coupons and .in.net TLDs both carry high malicious density flags in our model. The web-proxy-[number] subdomain pattern matches infrastructure-impersonation — it looks like legitimate enterprise proxy infrastructure but carries no associated organization. The novel domain alert fires, the indicator gets indexed, and it enters the STIX feed within the hour.

That is why we had 1,360 IOCs from this cluster before the FBI published a single-sentence advisory about the general category.

What to Do

Pull our STIX feed and import the web-proxy cluster into your DNS filter and SIEM: analytics.dugganusa.com/api/v1/search?q=web-proxy+fortezzablu

Block the .in.net web-proxy subdomain pattern at your DNS resolver. The pattern is web-proxy-..in.net. No legitimate enterprise infrastructure uses that naming convention.

Treat .coupons TLD traffic to anything other than known coupon retailers as anomalous. In our index, the malicious-to-legitimate ratio for .coupons exceeds 90%.

For organizations with mature threat intelligence programs: cross-correlate this cluster with your February and March log data. If these domains appear in your DNS query logs, you have an endpoint that was in contact with proxy relay infrastructure. That endpoint needs investigation regardless of whether the source IP looked residential.

Our Feed

We track residential proxy infrastructure, C2 relay chains, and novel domain registrations across all active threat actor clusters.

STIX feed (free): analytics.dugganusa.com/api/v1/stix-feed

Search the cluster directly: analytics.dugganusa.com/api/v1/search?q=web-proxy+in.net

Register: analytics.dugganusa.com/stix/register

Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo.

Her name was Renee Nicole Good. His name was Alex Jeffery Pretti.

The cheapest, fastest, most accurate threat feed on the internet. 275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor's sales demo.

Look up an IOC · Audit your brand on AIPM · See pricing