The Proxy Ghost: IPCola’s Network Feeds on User Devices Covertly
The launch of the IPCola service on underground forums in 2023 initially appeared to be yet another proxy marketplace, but the scale of the advertised address pool and the origins of its traffic quickly led Synthient Research to a far more intricate scheme. Their investigation revealed that the platform is tied to a network built atop third-party applications and devices, where user traffic is quietly transformed into a source of revenue without their knowledge.
IPCola operates without identity verification, accepts cryptocurrency payments, and offers access to an expansive range of proxies. Yet the crucial element of the infrastructure was not the marketplace itself, but the domains referenced in its technical records. Reverse-mapping the IP addresses guided researchers to a resource known as Gaganode, which promotes decentralized bandwidth monetization. The visual similarity between the two platforms’ interfaces and their shared domain connections strengthened suspicions of a close relationship.
Gaganode provides developers with tools to embed its module into virtually any application, including Android-based devices and inexpensive TV boxes. Once installed, the module gains the ability to receive and relay traffic, while network administrators can remotely issue commands to the devices. According to Synthient Research, this functionality effectively turns connected nodes into a centrally managed network—resembling malicious control far more than a legitimate commercial proxy mechanism.
The Gaganode module has been discovered preinstalled on certain Chinese-manufactured TV boxes, where it appears alongside other covert monetization tools. It is also found in older versions of free Windows applications and on websites distributing pirated software. This distribution strategy allows the network of nodes to expand rapidly, even if individual devices remain active only intermittently.
Researchers were particularly intrigued by the overlap between IPCola’s domain records and those of InstaIP, a service geared toward the Chinese market. Combined with the absence of user verification and active promotion on grey-market forums, this suggests that IPCola was designed as an outward-facing storefront for overseas buyers. Synthient Research remains confident that both services are linked to the Chinese company NuoChen Technology, which offers traffic-transit services and appears to leverage its infrastructure as broadly as possible.
By Synthient Research’s estimates, IPCola generates roughly 1.6 million unique IP addresses per week, many of them originating from devices in India, Brazil, and across South America. Overlaps between the address pools of various proxy platforms indicate that multiple embedded modules may run concurrently within a single application, blending networks together and further obscuring their origins. The story of IPCola illustrates just how deeply the proxy market can depend on opaque and ethically dubious methods of assembling address pools.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
