That $35 digital photo frame cycling through vacation snapshots on your shelf may already be renting your home internet connection to criminals — and nothing you do after plugging it in will stop it.
A Wall Street Journal investigation published this week found that five budget connected devices purchased from Amazon and Walmart — two digital photo frames and three streaming “super boxes,” all for under $800 — arrived from the factory with hidden software that immediately began routing third-party internet traffic through the reporters’ home connections. Not one device was clean out of the box.
The finding lands against a backdrop of mounting federal warnings: the FBI issued a formal public service announcement in March warning that cybercriminals are enrolling consumer IoT devices into residential proxy networks, and a January advisory specifically identified China-manufactured TV boxes and picture frames as primary vectors for the BADBOX 2.0 botnet. The Digital Citizens Alliance estimates roughly 20 million such compromised devices are currently active in the United States alone.
What a Residential Proxy Does — and Why Criminals Pay for It
A residential proxy routes a third party’s internet traffic through a real household connection, making criminal activity appear to originate from an ordinary home address rather than a suspicious data-center server. That disguise has substantial criminal value: traffic observed flowing through the test devices included requests linked to online gambling platforms, cryptocurrency services, adult content sites, and large-scale account-takeover operations, all routed through the reporters’ home IP addresses without their knowledge or consent.
The key distinction from an ordinary malware infection is that the affected homeowner’s IP address — not the attacker’s — appears in any investigative or forensic trail. Law enforcement officials cited in the WSJ report described the resulting challenge bluntly: when criminal activity is traced to a residential IP address, investigators’ first stop is the household it belongs to. Innocent consumers have faced serious scrutiny, and in some cases law enforcement action, simply because their compromised device was the last visible node in a criminal operation they knew nothing about.
How Factory-Installed Malware Works — and Why Firmware Updates Cannot Fix It
The WSJ investigation and supporting security research reveal a technical architecture that conventional consumer security tools are structurally unable to address.
Budget streaming boxes and photo frames sold under generic or unrecognized brand names — many manufactured in China — ship with software development kits already embedded in their base firmware. These kits are marketed to device manufacturers and app developers as a “bandwidth monetization” tool: the manufacturer is paid on a per-device basis to include the software, which silently enrolls the device into a residential proxy network the moment it connects to the internet.
The network operates through a two-tier command-and-control architecture. When a compromised device first connects to the internet, it contacts a Tier One server to obtain a list of Tier Two nodes. It then communicates with a Tier Two server to poll periodically for outbound traffic belonging to third parties — traffic the device routes invisibly through the household’s connection. Google dismantled IPIDEA, the Chinese-operated residential proxy service behind much of this infrastructure, through legal action in January 2026. Before its disruption, IPIDEA ran approximately 7,400 Tier Two servers and enrolled more than 550 individual threat groups spanning cybercrime, espionage, and information operations from China, North Korea, Iran, and Russia.
The engineering constraint that makes this threat category categorically different from conventional malware: firmware updates patch vulnerabilities introduced after a device ships. They cannot remove software that the manufacturer deliberately included in the base firmware image at the time of production. On devices that are not certified under Google’s Android TV Play Protect program — a category that includes the vast majority of low-cost off-brand streaming boxes — there is no mechanism by which Google’s malware countermeasures can reach the pre-installed code. The device is not exploited. It is delivered that way.
To confirm the behavior under controlled conditions, Comcast researchers isolated the WSJ’s test devices inside a Faraday cage — a shielded enclosure that eliminates all external wireless signals — and monitored their activity directly. The results were unambiguous: the devices were actively launching distributed denial-of-service attacks and repeatedly attempting to access hardware controls. The misbehavior was not passive data leakage. It was live, observable criminal conduct captured in a shielded room.
When Criminal Proxy Networks Scale Into State Espionage
The scale that makes residential proxy networks valuable to retail criminals also makes them attractive to governments. Security researchers and US intelligence agencies have confirmed that Chinese state-sponsored hacking groups Volt Typhoon and Flax Typhoon route their espionage traffic through exactly this kind of compromised consumer-device infrastructure, making attacks on US critical infrastructure appear to originate from ordinary American households rather than Chinese government servers.
A joint advisory issued in April 2026 by the Cybersecurity and Infrastructure Security Agency, the FBI, the NSA, and eleven international cyber agencies described the strategic shift: Chinese state-affiliated actors are no longer relying solely on individually procured servers for their intrusions. They build covert botnet networks from compromised consumer IoT devices — the same class of hardware sold on Amazon and Walmart — to create an anonymizing layer that makes their traffic indistinguishable from routine household internet use. A consumer who buys a $25 streaming box from a no-name Amazon seller may, without any further action, be contributing their home connection to a network Flax Typhoon operators are using to probe US power grids.
John Hultquist, chief analyst at Google’s Threat Intelligence Group, described the stakes following Google’s IPIDEA enforcement action: “Residential proxy networks have become a pervasive tool for everything from high-end espionage to massive criminal schemes. By routing traffic through a person’s home internet connection, attackers can hide in plain sight while infiltrating corporate environments.”
The Marketplace Problem Amazon and Walmart Have Not Solved
The WSJ investigation raises pointed questions about the platforms through which these devices reach consumers. Neither Amazon nor Walmart currently requires manufacturers of connected devices sold through their third-party marketplaces to disclose pre-installed software, and neither has deployed mechanisms capable of detecting factory-embedded proxy clients before products go on sale.
The supply-chain incentive structure compounds the difficulty. At $15 to $40 per unit, the hardware itself is a loss leader. The recurring monetizable asset for the manufacturer is the household IP address the device provides: 24 hours a day, running on the consumer’s electricity, subletting bandwidth to whoever pays the residential proxy operator for access. A device sold at or below cost can be profitable if it ships pre-enrolled in a network that generates ongoing revenue from the consumer’s connection — revenue the consumer never sees, did not authorize, and cannot easily stop.
Security experts cited in the investigation believe certain manufacturers are paid directly to embed proxy software before devices leave the factory floor. That arrangement makes these devices categorically different from the conventional botnet scenario, in which a legitimate manufacturer’s product is later compromised through a software vulnerability. These devices are not victimized by the criminal supply chain. They are part of it from the moment of production.
How to Tell If You Are at Risk — and What You Can Actually Do
The FBI’s March 2026 public service announcement and security researchers offer consistent guidance, though it comes with an important caveat about what it can and cannot fix.
Firmware updates remain worthwhile as a general security practice: they close vulnerabilities that attackers can layer on top of an already-compromised device. But firmware updates applied after purchase cannot remove proxy software that was part of the original factory firmware. For devices that arrive pre-enrolled, the most reliable mitigation is not patching — it is not purchasing the device in the first place, or removing it from the network entirely.
Avoid streaming devices that promise free sports, movies, or television from unrecognized brands. These are the highest-risk category identified in both the WSJ investigation and the FBI’s formal warnings. A streaming box that costs $15 to $25 and claims access to premium content without a subscription should be treated as almost certainly pre-compromised.
Place all smart home devices on a dedicated guest VLAN or guest Wi-Fi network, isolated from computers, phones, and any device with access to financial accounts or sensitive data. Network segmentation does not remove the proxy software, but it limits what an attacker can access if a device is already compromised, and limits the blast radius if secondary exploits are layered on.
Verify Play Protect certification for Android TV devices before purchase. Google maintains a list of Android TV partners whose devices have been tested and certified. Devices on that list are subject to Play Protect’s malware detection and removal; off-brand devices are not.
Monitor home router traffic logs for unexplained spikes in upload activity, connections to unfamiliar IP addresses, or higher-than-usual data consumption. These can be indicators of a device routing third-party traffic.
File a report with the FBI’s Internet Crime Complaint Center at ic3.gov if a device is suspected of compromise.
The Spur internet intelligence firm also offers a free public tool that checks whether a home network’s IP address is currently registered as a residential proxy node — a quick test that costs nothing and takes less than a minute.
What Needs to Change at the Platform Level
The WSJ investigation’s most significant accountability finding is structural: neither Amazon nor Walmart has a system for verifying the software contents of connected devices sold through their third-party marketplaces before those devices reach consumers. No FTC enforcement action specifically targeting marketplace sales of pre-infected IoT devices had been announced as of the publication of the WSJ investigation.
The EU’s Cyber Resilience Act, which entered into force in December 2024 and requires full compliance by December 2027, mandates that all connected devices sold in Europe meet minimum cybersecurity standards — including mandatory software transparency and vulnerability disclosure programs. No equivalent requirement exists in the United States for marketplace-sold IoT devices. Until one does, the economic incentive that makes factory pre-installation profitable remains in place, and the supply of compromised devices through legitimate retail channels will continue uninterrupted.
Frequently Asked Questions
Can cheap devices from Amazon or Walmart really be used to route criminal activity through my home?
Yes, and the evidence is direct. WSJ reporters purchased five devices from Amazon and Walmart in June 2026 and found factory-installed software on all five that immediately began connecting to criminal residential proxy networks. The FBI confirmed this threat category in formal public service announcements issued in January and March 2026, and noted that most infected devices were manufactured in China.
What is a residential proxy network, and why does it put homeowners at legal risk?
A residential proxy routes a third party’s internet traffic through a real household IP address so the activity appears to originate from an ordinary home. Criminals pay for access to these networks precisely because the IP address that shows up in any investigative trail belongs to an innocent homeowner, not the criminal. Law enforcement officials described in the WSJ investigation have confronted innocent consumers whose devices were the final visible node in operations they knew nothing about.
Why can’t firmware updates fix this problem?
Firmware updates address vulnerabilities introduced after a device ships. They cannot remove software that a manufacturer deliberately embedded in the base firmware at the time of production. The proxy software found on the devices tested by the WSJ was factory-installed — part of the original firmware image — not a subsequent exploit. Devices that are not certified under Google’s Android TV Play Protect program cannot receive Google’s malware countermeasures at all.
How can I tell whether my home’s IP address is already enrolled in a criminal proxy network?
The internet intelligence firm Spur offers a free public tool at spur.us/context/me that checks whether your home network’s IP address is registered as a residential proxy node. Separately, unexplained spikes in upload data usage, sluggish performance, or connections to unfamiliar IP ranges in your router’s traffic logs can indicate that a device is routing third-party traffic. The most protective step is placing all smart home hardware on a dedicated guest network segment, isolated from devices holding financial or personal account access.
