Proxidize copycats, a story of greed & international crime syndicates.

Table of Contents

The backstory

 
Proxidize started dealing with copycats from day one. I remember just a few months after launching the alpha Proxidize MPM (Mobile Proxy Maker) in 2019 (Before it was even called Proxidize), getting some Discord users telling me about how they were getting PMs from this account trying to sell them a cheaper copy of Proxidize labeling themselves as “Proxidize alternatives”, and it’s always the same thing. Some person or company that took the open source tools we created trying to sell them as if they are a cheaper version of Proxidize MPM.
 
We never paid attention to any of them as they would come and go every few months. I’ve seen more than 20 different services try to copy Proxidize, and none of them exist today. Once in a while, we would hear about a user that fell for the scam, but there was nothing we could do about it except for warning our users.
 
We initially thought it was a bunch of unsophisticated scammers trying to make a quick buck until a few months ago we heard about a tragedy. An ex-Proxidize user that fell for one of these scams and was now being investigated by their local law authorities for cyber crimes. After digging deeper, we realized that they had used one of the copycat tools, which included a backdoor that turned his machine into a member of a botnet that was used to commit cyber crimes.

How serious is this?

 
This triggered our curiosity to dig further and find out who exactly is behind this, and we found something unexpected. This was not just any scammer, but a cybercriminal syndicate based out of Russia and China that specifically targeted users who were attempting to make their own mobile proxies.
 
It did not make sense at first. It’s not that difficult to acquire botnet clients using brute force or any of the shady Pay-Per-Install services, especially for multi-national criminals. So, why was this group targeting such a niche and difficult-to-reach audience? We believe it is because the industry for botnet proxies is getting much more competitive, especially for high-quality and high-availability mobile proxies that would be impossible to acquire using other methods, since all sellers share the proxies between their users. Even more now after the shut down of the popular botnet proxy services such as rsocks[.]net and vip72.
 
But still, before we announce this, we needed concrete evidence, and it didn’t take us much to get it.
 
We reached out to them posing as potential clients, requesting that they help us make our own mobile proxies. It all went smooth until they wanted to lock us out of the host device. Then we noticed them installing a backdoor by using a VPN client. This would give them complete root access to the machine and all the proxies.
 
But still, not concrete evidence. so we started monitoring all the traffic to see what was happening. And low and behold, it only took a few hours for us to see all sorts of ecommerce traffic, and it meant one of two things. Either this group really liked shopping on western ecommerce sites, or they were carding. Sadly, and to my disappointment, it was the latter.
DNS/TLS/CDN requests sent to amazon.com & its servers while attempting carding. We looked into the traffic, and once we realized it was using stolen credit cards, we shut the whole thing off. Carding is the process of using stolen credit card details to purchase items on the web to be later resold. Carding is by far the most common financial internet crime, and is an incredibly serious offence in the eyes of any law enforcement.
 
Our device was now officially a part of their botnet and we didn’t wait any longer to see anything else. We took a few traffic snapshots (Only containing the headers without exposing any data) to identify their command and control servers, and we disabled the machine immediately.

Who are these people?

Using this information we just gathered, we started reaching out to more services to try to reverse engineer their entire operations. We found operators in Russia, China, Vietnam, and Thailand, along with a few mules that they would use to promote their services in the UK, the US, and India.
 

We found out that they operated five different services under different names and geographical focuses. Some of those were VPN-based Android apps that copied Proxidize Android, others were more of Proxidize MPM-OP (Mobile Proxy Maker – On-Premise) replicas requiring modems. Some of them were even listed on GitHub to look like open source tools, when all there was on the GitHub pages is the binaries.

 
This group might be sophisticated, but they are not immune. So much so, that during our investigation that lasted a few months, one of their top-performing Android clients was taken down from the Google Play Store and the website was deleted. We’re not sure what exactly caused this, but we believe it might be associated with the FBI takedown of the previously mentioned botnet proxy service. However, they have other mobile proxy clients on the Play Store and we expect them to rebrand and launch that client again soon.
 
 
The moral of the story is that if you want to install any sort of application on your network, you need to understand that you have a responsibility towards yourself and everyone you share your office or home with. Especially if it’s an anonymous service ran out of Russia or China wanting you to install a network application on your device. Just common sense alone could have prevented this group from spawning.
 
We will keep collecting as much information about this group as possible, knowing that eventually and like all criminals, they will be taken down.

What is Proxidize doing about this?

Our only concern was protecting our users, after all, we invented this segment. However, we were advised by our legal partners to do nothing and stay out of it as it was not really our business — if an adult chooses to knowingly or unknowingly install any sort of malware on their machine, it’s impossible for us to prevent it.
 
But we couldn’t do that. It’s not in our DNA to see people who are in need of a proxy tool fall prey to such animals. Even though we know very well that only mentioning this will scare away some of our own users, Proxidize cannot stand by and watch as our market gets attacked by fraudsters — which is why we will double down on making open source tools. Starting with Proxidize Android, which is now called Proxidize Android Legacy, a 100% open source application. You can find the app on our GitHub page https://github.com/proxidize

What should you do now?

If you’re a Proxidize user, you have absolutely nothing to worry about. Not only do we take the security of all the users incredibly seriously. Proxidize hardware and software get constant cyber security audits to ensure that we are always providing top-tier security to all our users.
 
At the end of the day, there is little we can do as Proxidize to combat this kind of crimes. And it is unfortunate for us to hear these stories. But we will keep doing everything we can. Our mission is to develop the best product and we are happy that our 1,000+ users can use Proxidize successfully and safely.
Abed
Abed
Abed is the cofounder of Proxidize, the author of PROXY KNOW, and a proxy networks developer since 2015.