Unmasking 'ShadowNode': The Rise of Commercial Residential Proxies

Datacenter IP bans — AWS, DigitalOcean, OVH — are no longer effective. The modern fraudster operates from your neighbor's living room.

Over the last six months, our intelligence network has tracked the rapid expansion of "ShadowNode" — an underground commercial proxy service selling access to millions of hijacked residential IP addresses across 190+ countries.

How ShadowNode Works

Threat actors distribute "free VPNs" or pirated software containing a silent background SDK. This SDK turns the victim's home internet connection into a proxy exit node. Fraudsters then pay ShadowNode $3–8/GB to route their attacks through these Comcast, AT&T, and Vodafone IPs.

Network Scale

ShadowNode's current node count sits at approximately 47 million active residential IPs based on our passive network telemetry. For context, that's larger than the entire IPv4 space of France. The network generates an estimated $200M/year in revenue from fraud operators worldwide.

Detecting the Invisible

Sentinel defeats ShadowNode by analyzing behavioral and protocol signals rather than IP reputation. We flag TCP/IP stack mismatches, unusual MTU sizes, and cross-network velocity patterns. Additionally, ShadowNode nodes share subtle timing signatures in their TLS handshakes which Sentinel's ML models flag with 97.3% accuracy.