Your Home Devices Are Being Turned Into Proxies for the AI Industry

Your phone, your TV, your router, anything in your home with an internet connection can be put to work crawling the web for the AI industry, and nothing on the device says it is happening. Some of that traffic is harmless scraping. Some of it is not, and it leaves under your IP address either way, so it traces back to you. It’s called a residential proxy.

I came across it through the smart TV story this morning. Researchers had taken apart the software inside some free smart TV apps and found it quietly turns the television into a relay, using the home connection to pull web pages for a data company that resells that access to the AI industry. One question stuck with me. What if it does not stop at one device. So I went digging, and it does not stop there, not by a long way.

The idea behind a residential proxy is simple. When a device loads a website, it goes there directly. A residential proxy puts someone else’s traffic in the middle, sending it out through a real home connection so it reaches the website looking like a normal person at home.

A company wants to pull thousands of pages off a site, fast, over and over. The site does not want that and tries to block it. It can tell when requests come from a data center, the warehouses where companies rent servers by the rack, and filters from Cloudflare and DataDome shut those out fast. So the company routes its requests through home connections instead. A request coming from a home internet line on a quiet street gets waved through as a real visitor. That is what makes the traffic look human, and that is what the buyers pay for.

The device doing the relaying has a name. It is the exit node, the last point the traffic passes through before it reaches the target site, and the target only ever sees that exit node, not the buyer who paid for the job or the home it actually ran through.

This was a small, quiet business for years. AI changed the size of it. Models get trained and kept current by reading enormous amounts of the open web, and the sites with the richest material are the same ones working hardest to keep automated readers out. Pushing that reading through millions of homes is how it gets back in, made to look like ordinary visitors. The largest provider in this market now runs on hundreds of millions of dollars a year, most of it driven by AI demand.

A device becomes an exit node in one of three ways. They run from fully legal to outright criminal, and the home ends up doing the same work in all three.

The first way is the one people sign up for. A row of apps pays a few dollars a month for a slice of a home connection. Honeygain, IPRoyal Pawns, PacketStream, Peer2Profit, Traffmonetizer, EarnApp. Install one, leave it running, and it sells the bandwidth nobody is using to whoever is buying. The signup pages talk about sharing and earning. They say very little about the buyers. Researchers at Trend Micro set up a few of these exit nodes and recorded what came through. Plenty of it was ordinary browsing. A real chunk of it was traffic nobody would want tied to their own address. And one of those apps, EarnApp, is owned by Bright Data, the company at the center of the smart TV case, which pulls IPs in through its own app and through code sitting inside other companies’ apps at the same time.

The second way takes no real yes from anyone. The relaying code sits buried inside an app that looks like something else. Researchers found 28 apps on the Google Play Store, with millions of downloads between them, that turned phones into exit nodes the moment they were installed. The kit behind it paid app makers by how much traffic ran through their users, and it was sold openly, hacking forums included.

The third way needs no agreement at all. The device is simply hacked. An operation called BadBox 2.0 reached more than ten million cheap, no-name Android devices, the bargain TV boxes, tablets and projectors that sell for next to nothing. The malware was loaded before the box left the factory, or it slipped in during setup, and after that the device relayed for criminals with no sign of it anywhere on screen. It is not the same crew as the Kimwolf botnet I wrote about earlier, but the two crossed paths. The people running Kimwolf broke into BadBox’s control panel and quietly added themselves as a user, which handed them a way into all those devices on top of the two million they already ran.

Bought, hidden, or hacked, it ends in the same place. A home connection doing someone else’s work, under an address that belongs to the household.

Networks like that do get hit. In late May 2026 the Dutch police and the national cyber agency NCSC took down one of the biggest, around 17 million infected devices relaying through roughly 200 servers standing in Dutch data centers. It is one of the larger proxy takedowns on record, and it ran straight through the Netherlands. The network behind it is the same one those 28 apps had been quietly feeding.

A word on who gets blamed for these things. In security, attribution is one of the hardest problems there is. An IP address can be faked, tools get passed around between groups, and even the language left inside the code can be planted on purpose. What we can be sure of is how something works, not always who is behind it.

Researchers took the software inside these apps apart, and the gap between what it promised and what it did is hard to miss. The opt-in screen on one TV app said it would use the device occasionally. The settings it actually loaded said this:

1
2
3

max_bw_monthly_wifi : 200 GB per month
ignore_screen_on    : true
ignore_on_call      : true

Occasionally meant up to 200 gigabytes a month. The two lines under it kept the relaying running while someone was watching the screen, and while someone was on a call.

When the app starts, it opens a line to one of the company’s servers and holds it open. Down that line come the jobs. Fetch this page. The device fetches it through the home connection, sends the result back, and waits for the next one.

That line has almost nothing guarding it. A proper secure connection makes both sides prove who they are first, with a key or a signature that cannot be faked. This line skips that step. The server accepts the device without proof, and the device trusts the server back the same way. Researchers measured the protection on it as weaker than what ordinary malware puts on its own traffic.

On iPhones it gets sharper. A VPN is meant to wrap all of a device’s traffic in one protected tunnel, so nothing slips out around it and the real connection stays hidden. The smart TV code carries a setting that pins its own traffic to the physical network link, the actual wifi or mobile connection, which sends it straight past the VPN tunnel. Someone who switched on a VPN to stay private has this one stream going out in the clear, under the home IP, and the tools that normally watch traffic never see it leave.

While it runs, the device keeps reporting on itself, the battery level, whether the screen is on, whether someone is on a call, so the server knows the right moment to hand it work. The same setup ties a household’s phone, laptop and desktop together into one identity.

None of this is new for the company behind it. That hidden line still carries an older name on its security certificate, the digital ID that proves which server is on the other end. The name is Luminati. That was the brand this same outfit used back in 2015, when it was caught selling the bandwidth of Hola’s free VPN users. One buyer used those home connections to knock the message board 8chan offline. The price back then sat around twenty dollars a gigabyte. Same method, new name, now aimed at AI.

Almost none of this was hidden. The consent box said occasionally while the software was set to two hundred gigabytes. Meta and X both dragged the company behind the TV case into court over scraping, and both times the company walked away the winner, with judges agreeing that collecting public data this way is legal. The FBI listed the devices at risk in a public notice, down to the screens added to cars. And when Google pulled apart one of the criminal versions of these networks, its own researchers said the industry’s promise that those home connections were signed up fairly is often wrong or overstated. The side with the power acts. The home carries it.

One fair point before the practical part. Legal and criminal are not the same thing here, even when the result looks identical. Selling your own bandwidth on purpose is a choice a person is allowed to make. Code hidden in an app with nothing disclosed is deception. A device hacked before it was ever bought is a crime. And a company named in a config file is not proof that its app ships this today, only that there was an arrangement at some point.

Some of this has tightened since the research came out. Google, Amazon and Roku have clamped down on the kind of background code that does this, and Bright Data dropped those platforms. Samsung’s Tizen and LG’s webOS are still on the company’s list, which means those smart TVs are still in reach.

It can be caught at home, and the sign is almost always the same. A device sending a steady stream of data out while nobody is touching it. A television left off for hours has no honest reason to push hundreds of megabytes onto the internet. A phone resting on the table overnight should be close to silent.

Most home routers have a page that lists traffic per device, and many keep a running total of what each one sends and receives. Open it late in the evening, when the house is quiet, and read down the list. The device with steady outgoing traffic while the household sleeps is the one to question.

For a closer look, a free tool called Wireshark, run on a laptop, shows the actual connections a device makes and where they go. Normal traffic comes in bursts, busy when someone is using the device and quiet when they are not. Relay traffic behaves differently. It reaches out to the same small set of unfamiliar servers around the clock, steady, whether anyone is home or not. That pattern, constant outgoing chatter to addresses that have nothing to do with what the device is for, is the thing to learn to recognise.

Once it is visible, a few habits take care of most of the risk:

• → Block the relay at the router. The smart TV channel reaches back through a small set of web addresses, and a tool like Pi-hole or NextDNS stops it in a few minutes.

• → proxyjs.brdtnet.com

• → proxyjs.luminatinet.com

• → proxyjs.bright-sdk.com

• → clientsdk.bright-sdk.com

• → clientsdk.brdtnet.com

• → Go through the free apps and free VPNs on each device and ask what the maker gets back. When there is no clear answer, the answer is usually the connection itself.

• → Leave the cheap no-name streaming boxes that promise free channels on the shelf. That deal often gets paid with the home network instead of money.

• → On any device that allows it, find the background data or network sharing setting and switch it off.

• → Keep firmware and apps updated, and clear out the ones nobody uses.

A lot of people will read this and think their VPN has them covered, and it does not. The traffic that relays for someone else is built to go around a VPN and still leave under your real home address, because that home address is exactly what the buyer is paying for. And a free VPN is often the very thing that signed the device up, the way Hola sold its free users through Luminati, now called Bright Data, and the way most of those 28 apps worked.

Most of this is bigger than any one person can do anything about. The deals get signed between companies, the code ships inside ordinary apps, and the law leans toward the side doing the collecting. What a home controls is a small piece. It is a real piece though, and learning to read your own network is worth far more than not knowing. The rest keeps running, in millions of living rooms, where nobody agreed to any of it, while almost nobody is watching.

A device gets turned into an exit node. The traffic it carries is built to look normal, the line feeding it the work has almost no protection, and the owner is left with no sign of it. Reading raw network traffic, scanning and mapping what is really on a network, and following where a device actually sends its data, that is what my ethical hacking course walks through, step by step:

→ Join my complete ethical hacking course

Hacking is not a hobby but a way of life. 🎯

Sources: Include Security | Google Cloud Threat Intelligence | FBI IC3