https://jan.wildeboer.net/2025/04/Web-is-Broken-Botnet-Part-2/ * Jan Wildeboer's Blog * Me * By Year * Categories * Tags Botnet Part 2: The Web is Broken Me wearing a red fedora, with a smile. Jan Wildeboer That Open Guy. Transnational citizen. Red Hat's EMEA Evangelist during the day, societal hacker in the dark. He/Him. Personal blog. Opinions expressed are my own, not Red Hat's. Follow * Munich, Germany * Mastodon * LinkedIn * Codeberg * Keybase Posted: 2025-04-19 Botnet Part 2: The Web is Broken 5 minute read I guess you have all heard about the growing problem of AI companies trying to aggressively collect whatever data they can get their hands on to train their models. This has caused an explosive surge in web crawlers relentlessly hitting servers big and small. But who runs these crawlers? Turns out -- it could be you! 1. Those stealthy botnets - How I found out about a not so new class of botnets The Web is Broken - Certain companies recruit app developers to create botnets by injecting "network sharing" SDKs into their 2. apps. These botnets then use the network bandwidth of unsuspecting users of said apps to crawl the web, brute-force mail servers and other nasty things. So there is a (IMHO) shady market out there that gives app developers on iOS, Android, MacOS and Windows money for including a library into their apps that sells users network bandwidth. Infatica^1 is just one example, there are many more. I am 99% sure that these companies cause what effectively are DDoS attacks by aggressive AI crawlers that many webmasters have to deal with since months. This business model should simply not exist. Apple, Microsoft and Google should act. Infatica explains their SDK From the Infatica SDK page, explaining how app developers can make money by including the Infatica SDK What these companies then sell to their customers is network access through the devices/PCs that have an app with this SDK installed^2. They are proud to tell you how you can funnel your (AI) web scraping etc through millions of rotating, residential and mobile IP addresses. Exactly the pattern we see hitting our servers. The offer to customers: residential IPs, Static IPs, mobile IPs etc. Infatica claiming they have millions and millions of IP addresses to hand to you Infatica promising millions of IP addresses What I would call "infected users" are called "residential IPs" in this specific market There are many Now, again, this company is just one of many selling similar services. And they all promise that they carefully check what commands their customers send to the (IMHO) infected apps on your phone and PC. Yeah, I am sure they "do no evil". And when they do, they can claim it's not their problem because they are merely the proxy. Again, IMHO, a shady business model. Trend Micro did some research on these companies back in 2023 and it confirms my suspicions. And I guess with AI scraping this kind of business is booming. ,,There are malicious actors who repacked freeware and shareware written by other people to conduct drive-by downloads of the Infatica peer-to-business (P2B) service" ^3 Trend Micro's finding on the real use of these offerings But IMHO (In My Humble Opinion) this also explains the explosion of bot traffic that really cripples a lot of smaller services (like my forgejo instance, that I had to make non-public). So if you as an app developer include such a 3rd party SDK in your app to make some money -- you are part of the problem and I think you should be held responsible for delivering malware to your users, making them botnet members. Unfortunately it is next to impossible for normal users to detect the inclusion of such shady SDKs and the network traffic they cause. Not even mentioning how hard this is for admins of (small) web servers. I already blogged about this back in February 2025 but I think it is better to put what I have learned since then in this new post. I guess it won't be my last on this topic. See for yourself! If you want to feel really dirty, go to https://proxyway.com/reviews? e-filter-da2a7bc-reviews_categories=proxy-providers for a collection of reviews on these services. It's a huge market and I am 100% convinced that "AI" web scraping is currently the biggest "growth" driver for these companies. And when I see that quite some of them rely on injecting SDKs into 3rd party apps to "extend" their "Reach" and fill their pools of "residential proxies", I would call out these companies for distributing malware and creating botnets. But that's just my personal opinion. I am sure they are all legit. Reviews of proxy providers Page 1 of 3 with reviews of "residential proxy" providers My conclusion I am now of the opinion that every form of web-scraping should be considered abusive behaviour and web servers should block all of them. If you think your web-scraping is acceptable behaviour, you can thank these shady companies and the "AI" hype for moving you to the bad corner. Thank you for your time and interest! I hope it helps you understand why web crawlers have become a real problem and how this is more and more an attack on the foundation of the Web as it was intended to be. This "residential proxy" business is just one part of this. And we webmasters/admins can only try to block. It is getting more and more difficult to keep up with these waves. Thanks "AI", I guess? Footnotes 1. https://infatica.io/sdk-monetization/ - 2. https://infatica.io/pricing/ - 3. https://www.trendmicro.com/vinfo/ae/security/news/ vulnerabilities-and-exploits/ a-closer-exploration-of-residential-proxies-and-captcha-breaking-services - License: CC BY 4.0 Jan Wildeboer Posted: 2025-04-19 Tags: AI, Botnet Categories: Blog, Personal COMMENTS You can use your Mastodon or other ActivityPub account to comment on this article by replying to the associated post. Load comments from Mastodon You have to allow JavaScript to view the comments. PrevNext You May Also Enjoy Thoughts on RTO -- Return To Office 3 minute read Posted: 2025-04-13 COVID drastically changed the mode of work for office workers. And while this blog post focuses on the consequences and the future of office work, the majori... From iCloud to Nextcloud: Contacts 4 minute read Posted: 2025-03-05 Open Standards make many things possible. Today I want to show you how an Open Standard called CardDAV makes it really simple to move your address book from ... Botnet Part 1: Those Stealthy Botnets 4 minute read Posted: 2025-02-16 It's one of those days again where botnets are hammering my little e-mail server with brute force attacks to send spam. This comes in waves, but is persisten... The MRZ Part 1: A Relic With Potential -- IMHO 14 minute read Posted: 2025-01-06 During the holidays, I had this urge to program some stuff for fun and learn some new things. So I taught myself how to create nice looking, responsive forms... * Follow: * Mastodon * Codeberg * Atom Feed * About/Impressum/GDPR/No AI/ML (c) 2025 Jan Wildeboer. Powered by Jekyll & Minimal Mistakes.