← field notes

Where Residential Proxies Really Get Their IPs

Somewhere right now there is an ordinary family home. A couch, a router blinking in the corner, a normal internet bill paid every month. And quietly, through that router, traffic is flowing out that nobody in the house knows anything about.

A stranger on the other side of the world is loading websites, scraping prices, and signing up for accounts, and to every one of those sites it looks exactly like a real person sitting on that family’s couch. The family has no idea. That house is what the industry calls an exit node, and to understand how do residential proxies work, you have to follow the wire all the way back, from the website that trusts that connection to the supply chain that turned a stranger’s home into a doorway.

What a residential proxy actually is

A proxy is just a middleman for your internet traffic. Instead of a request going straight to a website, it goes to the proxy first, and the proxy passes it along, so the website sees the proxy’s address instead of the real one. That part is simple and old.

The interesting word is residential. A residential proxy is one whose address belongs to a real home internet connection, handed out by a normal consumer provider to a normal household. You are not borrowing a server in a data center. You are borrowing an actual home, and that distinction is the entire product.

Why a home address looks so trustworthy

Websites do not treat all addresses equally. Addresses that belong to data centers are easy to spot, because the blocks they live in are publicly labeled as commercial hosting, and almost no real customers browse from inside a server farm. Traffic from a data center carries a quiet note that says probably automated, treat with suspicion.

A home connection carries the opposite note. It says here is a real household, a real customer, a real person who pays a real bill. That borrowed reputation, built up by an innocent family over years of ordinary browsing, is what gets rented out. The address has done nothing wrong, which is exactly why it works.

So where do the addresses come from

This is the question almost nobody asks, and it is the heart of the whole thing. These companies sell access to millions of real home connections all over the world. They do not own those homes. They did not run a cable to any of them.

So how does a proxy company end up able to route a stranger’s traffic through your router? The answer is that somewhere, on some device inside that home, a piece of software is running that agreed to let it happen. The entire industry rests on that one quiet fact.

The SDK hidden inside a free app

The most common path looks completely innocent. A developer builds a small free app: a flashlight, a wallpaper changer, a simple game, a file converter. Building and running an app costs money, and a free app earns nothing directly.

So a company offers the developer a deal. Bundle our small piece of code, our software development kit, into your app, and we will pay for every device that installs it. Once that SDK is inside the app and running on a phone, it can quietly use that phone’s connection as an exit node for someone else’s traffic. The user downloaded a flashlight. They also, without ever feeling it, became part of a global proxy network. The developer is paid per install. The host is paid nothing.

In most cases, technically, the user did agree. When you install one of these apps, you tap through a wall of terms, and somewhere in that wall there is usually a line. It might say the app uses your device to support its free service, or that you allow your bandwidth and network resources to be shared, or some softer phrasing that means the same thing.

Legally, that line is often enough. Practically, almost nobody reads it, almost nobody understands it, and almost nobody would agree to it if it were written in one plain sentence on the install screen. The consent exists, but it is consent in name. The gap between what was technically agreed and what was actually understood is where this entire business lives.

It is not only phone apps. Browser extensions can carry the same kind of code, which means the browser someone trusts as their private window can itself be relaying other people’s traffic in the background. There is a particularly sharp irony in the free VPN corner: people install a free VPN precisely because they want privacy, and some free ones pay for themselves by doing the exact opposite, turning their users into exit nodes and selling that access on.

The spectrum from clean to murky

It would be unfair to paint the whole industry one color, because there is a real spectrum. At the clean end are paid panels: networks where people knowingly sign up, are told clearly that their connection will be used, and are paid for it, sometimes in cash, sometimes in app credits or an unlocked premium feature. That is genuine, informed, compensated consent, and there is nothing hidden about it.

At the murky end is the buried bundled consent above, where the agreement is technically present but practically invisible. In between sits a wide grey zone of disclosures that are real but vague, payments that go to a developer the user never thinks about, and chains of resellers where the original source of an address gets harder and harder to trace. The further a customer sits from the original household, the easier it becomes to not ask the uncomfortable question.

Follow the money and it becomes a layered supply chain. At the bottom is the host, the real person whose connection is used. Above them is the app, extension, or VPN that planted the code. Above that is the company that aggregates millions of devices into a network, then the brokers and resellers who package it into a clean product with a dashboard and a price list. At the top is the customer, who just wants reliable home addresses and rarely asks where they came from.

How sites still fight back

So the addresses look perfect. Does that mean the websites lose? Not really. Detection has moved past simply asking whether an address looks residential.

Defenders watch reputation, because even a genuine home address builds a history, and an address that suddenly serves thousands of strange requests starts to look wrong no matter what label it carries. They watch volume, because a single home connection has a natural shape to its day, and when a network pushes the traffic of dozens of paying customers through one address, that shape breaks: requests arrive around the clock, for unrelated services, at a rate no household would ever produce. And they watch behavior, because the way automated traffic moves and clicks and fills forms rarely matches the messy rhythm of an actual person. A perfect address is only the first signal, and it is rarely the one that decides things.

The cost to the unwitting host

Now stand in the family’s living room, because they carry a real cost they never agreed to. When a stranger’s traffic flows out through your connection, it goes out under your address and your name.

If that traffic does something abusive, scraping aggressively, attacking a login page, committing fraud, the trail leads back to your home first. Your address can land on blocklists, so sites you actually use start treating you as suspicious, and in rare cases the activity can draw far more serious attention. The host did nothing wrong by any normal measure. They installed a flashlight. But the consequences land on the connection, and the connection has their name on it.

This is the ethical knot at the center of the subject. Consent that is technically given but practically invisible is a strange kind of consent. The host is not a victim in the legal sense, because somewhere they tapped agree, but they are not a willing participant in any honest sense either, because no one explained what they were agreeing to in words they would actually read. The clean end of the industry proves the model can be honest, and that is exactly what makes the murky end so hard to defend.

Someone is always the exit node

Step back and look at the whole shape of it. Every time traffic appears to come from a real home, a real home really is involved. The trust those addresses carry is real, the people whose connections carry that trust are real, and most of them have no idea they are part of it.

The supply chain is built to keep it that way, layer by layer, until the living room at the bottom disappears from view. There is no traffic without an exit, and no exit without a node, and the node is almost always a stranger who tapped agree on something they never really read.

The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.

watch
The Hidden Internet on YouTube

Every field note starts as a short documentary. Watch the systems in this piece explained on screen.

subscribe →
read on
More field notes

The rest of the series on how the modern internet detects, tracks, and sorts the traffic that reaches it.

browse the archive →