17 million devices for rent: tracing a residential-proxy botnet from one cracked game

I got bored on a forum doing arithmetic on ‘millions of residential IPs’, ended up reverse-engineering a botnet’s C2 from one infected phone, and reported it. The whole messy thread — and where it led.

June 26, 2026 · 14 min · Vitalii Zaiats

Wire-to-WiFi correlation

A weekend bench experiment: drive a size/timing pattern through a doubly-encrypted, proxied flow and watch it reappear in a device’s WiFi frames. The physics held at r=0.9 on my own hardware — and then the real fight was with a cheap monitor adapter that decoded almost none of the frames I actually needed. A lab notebook that ends in a shopping list, false positive included.

July 4, 2026 · 13 min · Vitalii Zaiats

Chaining SOCKS5 UDP relays: self-loops, SSRF, and the amplification that isn't

Final follow-up post debunking the “open UDP relay = DDoS amplifier” fear: chaining launders origin but de-amplifies at the target, self-looping only DoSes the relay itself, loopback forwarding is a UDP SSRF, and even a paid commercial proxy fails the RFC 1928 §6 source check — every behavior reframed as a single-packet detection fingerprint.

June 13, 2026 · 9 min · Vitalii Zaiats

Auth on TCP, open on UDP: the SOCKS5 relays scanners can't see

Final version of the SOCKS5 open-UDP-relay teardown: de-quantified the scan-list phrasing, aligned a log comment to first-person voice, and thinned one forward-reference scaffold, with all tables, numbers, RFC references, and the “signals, not weapons” defensive framing preserved verbatim.

June 11, 2026 · 17 min · Vitalii Zaiats

From a proxy pool's torrents to a booby-trapped game

I chased a residential proxy pool’s own download habits down to one cracked driving game, and found a build that’s a confirmed ad-fraud carrier hiding an encrypted payload I still can’t prove is proxyware.

May 31, 2026 · 8 min · Vitalii Zaiats

Coordinated disclosure: CCTV cameras selling their owners' bandwidth

How I passively fingerprinted hacked Dutch CCTV cameras being resold as residential proxy exit nodes — and reported them to NCSC-NL without ever touching a single box.

April 15, 2026 · 5 min · Vitalii Zaiats

The iOS proxy ghost: why you can't find an iPhone in a residential pool

Turns out the iPhone on every proxy provider’s landing page is the one device that basically can’t be in the pool — and that absence is exactly what makes a real iOS fingerprint a trustworthy “human here” signal.

April 3, 2026 · 4 min · Vitalii Zaiats

TCP-fingerprinting 300K residential proxy IPs: 98% are Linux

Probed 319,706 residential-proxy exits by their TCP SYN fingerprints — 98% Linux, two kernel defaults covering 70%+, MSS leaking the real link, and a handful of big ISPs — showing the “real user devices” are mostly a rack of Linux boxes.

March 26, 2026 · 4 min · Vitalii Zaiats

Detecting credential stuffing through encrypted traffic

Encrypted traffic still leaks its silhouette: near-identical response sizes (CV < 0.05) plus JA3 counts turn a sealed TLS tunnel into a credential-stuffing detector.

March 24, 2026 · 4 min · Vitalii Zaiats