Skip to content
Chimera readability score 87 out of 100, Specialist reading level.

The GCA Internet Integrity Program convened the Internet Integrity Workshop III on 18 May 2026 at the Edinburgh International Conference Centre, under the Chatham House rule. The session brought together network operators, Internet Service Providers (ISP) engineers, security researchers, threat intelligence providers, and members of the Internet coordination community from across Europe, Asia, North America, and Latin America. This new report, “Internet Integrity Workshop III: Residential Proxies and Infected Infrastructure,” examines the proceedings and strategic analysis of the event.
The workshop examined one of the most significant and rapidly growing threats to Internet infrastructure: abuse of residential proxy networks, which have grown to an estimated 100–200 million exit nodes globally, generating aggregate capacity in the hundreds of terabits per second. These networks — built on compromised consumer devices, supply-chain-implanted malware, and uninformed Software Development Kit (SDK) consents — are increasingly used for AI training and are enabling attacks that range from credential stuffing to nation-state intelligence gathering.
There was strong consensus among the participants that the most scalable mitigation lever is not cleaning up infected devices — an unworkable problem at the scale of hundreds of millions — but disrupting the control plane: the concentrated infrastructure that connects exit nodes to paying customers. For commercial proxy networks, this means targeting the small number of back-connect relay operators (approximately 6–8 globally) that aggregate exit-node pools; for malware botnets, it means targeting the command-and-control (C2) servers that coordinate infected devices. Both are technically feasible, deployable via standard routing mechanisms, and economically compelling once framed correctly. This report summarizes the workshop discussions and identifies five possible longer-term directions for the community that flow directly from the workshop findings. These represent areas where sustained, collective effort — across operational, research, policy, and civil society actors — is needed to produce a durable change.
| Key Findings at a Glance | |
|---|---|
| The Scale 100–200M residential exit nodes globally; hundreds of Tbps aggregate capacity; growing rapidly since late 2024, driven by AI demand. | The Control Plane The scalable mitigation lever is not infected devices but the concentrated control plane: ~6–8 back-connect relay operators for commercial proxies; C2 servers for botnets. |
| The ISP Lever Security arguments haven’t moved ISPs. A financial case — ISPs are giving bandwidth away to commercial proxy operators — is the most actionable engagement lever. | The Critical Gap No public, dynamic resource identifying control-plane infrastructure exists. This is explicitly identified as the single most critical missing operational resource. |

Sentinel — Human

Confidence

The text demonstrates high coherence and logical structure, suggesting strong human editorial oversight, although the highly specific terminology is consistent with sophisticated LLM training.

Signals Detected
low severity: Moderate sentence length variance; cohesive flow with clear topic shifts.
low severity: High internal coherence; the arguments flow logically from a specific event (workshop) to systemic implications.
medium severity: Structured presentation of findings and a clear, focused thesis statement characteristic of structured reporting.
Human Indicators
The use of specific, non-generic operational terms (e.g., 'control plane,' 'back-connect relay operators,' 'C2 servers') suggests domain expertise that LLMs can mimic but is often grounded in human systems thinking.
The direct synthesis of complex technical findings into a single, actionable argument about mitigation strategies reflects a structured analytical approach typical of professional reporting.