Sign in Subscribe
seeCurrent

That “Passive Income” From Your Home’s WiFi? You’re Being Paid to Become Infrastructure

I have been seeing ads on social media platforms that promise passive income just by running an application on your phone or device and “sharing unused bandwidth”. A little extra $5 to $50 a month for doing nothing would never hurt right?

Miguel Maloney

Miguel Maloney

13 min read
That “Passive Income” From Your Home’s WiFi? You’re Being Paid to Become Infrastructure

I have been seeing ads on social media platforms that promise passive income just by running an application on your phone or device and “sharing unused bandwidth”. I instinctively ignored it as a major red flag regardless of whether the origin had a legitimate business. As I kept on recieving these ads, I realized that it is possible that non-technical persons and even some would click on it because what harm could their be, people actually get payouts. A little extra $5 to $50 a month for doing nothing would never hurt right?

On the surface, it sounds harmless. In practice however, it turns your home internet connection into a what is called a residential proxy exit node. That changes everything.

So What Really Is Happening?

When you install a bandwidth sharing application, you’re not getting paid for your personal “WiFi.” You’re getting paid for access to your Internet Protocol (IP) address and network path.

In case you are not too clear an IP address is a unique number that every device gets, that connects to a network whether local, like your home or work and public, the internet. Your IP address can be permanent or temporary but it always can be used to point back to you, and in a nutshell, that is how cyber criminals are caught, by their IP address.

Cartoon infographic showing how IP addresses work. A friendly young person sits at a desk with a laptop displaying their IP address (192.168.xxx.xxx) labeled "Your Digital Address." Arrows trace the connection path through an Internet cloud to an ISP building, with "Traceable" labels showing the path can be followed back to the user. Bright, educational style with teal and warm colors.

Now back to this “passive income” from your home’s WiFi. Think of it as lending someone your home key, and only limiting them to the front gate. They can’t open your front door, but they can stand on your veranda and do whatever they want. To everyone passing by, whatever they do looks like it was done by you.

Security researchers describe these types of applications as proxyware, applications that turns your devices into proxy endpoints that can be sold to internet users, where your home’s IP address funnels traffic from these internet users to make it look like their activity is a legitimate home user activity coming from your IP address. Trend Micro explicitly calls out that these networks can be monetized by selling proxy access to customers who may use it for unethical or illegal purposes.

Now you understand why I instinctively ignored those ads. So now I am highlighting for anyone who may not fully understand the potential risks.

I actually see this as a type of social engineering, I would call it a quid pro quo social engineering technique. The playbook is that you are offered a small financial benefit in exchange for the access to home’s IP address which usually has a clean reputation and also for your position inside a residential network.

As Cybersecurity Professionals We automatically Flag This as Riskware

  1. Attribution Risk, Your IP Potential Becomes the Blame

When someone uses your IP through the proxy network to do something illegal, whether that is fraud or scraping websites or stuffing credentials into login pages, the first thing that investigators are going to see is your home IP address. They do not see the person who actually did it, they see you.

This is not theoretical.

In May 2024, the FBI and international law enforcement dismantled the 911 S5 botnet, the FBI called it “the world’s largest botnet ever.”

The numbers were very high:

  • 19 million compromised IP addresses across 190 countries
  • Over 613,000 IP addresses in the United States alone so imagine regions like LATAM and the Caribbean
  • $99 million generated by the operator selling access to hijacked residential IPs
  • $5.9 billion stolen from federal pandemic relief programs through fraudulent applicationlications
Infographic showing the scale of the 911 S5 botnet. A teal world map displays glowing dots representing compromised devices across continents. Key statistics surround the map: 19 million compromised IPs, 190 countries infected worldwide, $99 million in revenue generated by the operator, and $5.9 billion stolen. Device icons including laptop, phone, router, and tablet frame the visualization. Clean data visualization style on white background.

The operator was YunHe Wang who did this using “free” VPN applications that secretly installed proxy backdoors which is like a secret entry inside your house. So back to the illustration of you giving someone a key to your house that limits them to the veranda, but unknowingly to you, they created a secret door at the back of your house that gives them unauthorized access inside. Customers used those hijacked connections for their cyber crimes like, bomb threats, financial fraud, identity theft, and child exploitation. The people whose IP addresses were part of that botnet had no idea what was happening, they never suspected installing a “free” VPN application could be a potential danger.

2. IP Reputation Damage Where You Get the Consequences

Even when the downstream use is “commercial” rather than criminal, your home’s IP address gets the reputation hit:

  • You start noticing constant CAPTCHAs on Google searches or Cloudflare when accessing some websites
  • Blocks from banking and streaming services
  • Rate limiting and soft bans across platforms

Depending on how badly your IP gets affected, your recovery could take months.

3. You Can’t Verify Downstream Customer Behavior

The applications claim the traffic is for innocent purposes like “market research” or “SEO monitoring.” Maybe some of it is.

But as the exit node, you have no way of verifying this which is the basic problem and reason for concern. Trend Micro highlights this exact issue and notes that some proxyware components can be bundled so the real beneficiary isn’t even the end user.

4.This is Already Being Exploited by Criminals

Cisco Talos has done research on how criminals are taking advantage of these proxyware platforms. What they found is that some of the installers for these applications have been modified to include malware, so people who think they are just installing a bandwidth sharing app are actually installing something malicious along with it. Cisco Talos also points out that there is a real risk to your reputation and your operations when traffic that looks abusive is coming from your IP address.

This isn’t a case of a few bad actors exploiting an otherwise clean system. The infrastructure itself attracts cyber criminals because it provides residential IP addresses that bypass anti-fraud systems.

Remote Work and BYOD Make This a Potential Business Issue

Split-screen cartoon illustration showing home-to-corporate security risk. Left side: A warm home setting with a family, parents and child with headphones, all using devices (laptop, phones, tablet) connected to the same WiFi network, with a dog nearby. Right side: A corporate office building in cool blue tones connected to cloud services (Microsoft 365, Google Workspace, CRM). A dotted line connects the home devices directly to corporate systems, illustrating how personal device use at home can create organizational risk.

While doing my research on this topic I began to see how this could be a problem for some organizations.

If your organization has remote workers or allows employees to use their own devices, or even if you have staff who share their personal computers with family members at home, then these bandwidth sharing applications are no longer just a personal problem. They become a risk to your organization.

A clarification before we go any further: Bandwidth sharing by itself does not automatically let someone intercept cloud passwords in transit. Logins today are protected by TLS, so passive network observers can’t just read credentials like it use to be around the year 2005.

The real risk comes from what often comes with these applications, proxy backdoors, local VPN profiles, aggressive device permissions, bundled installers, and trojanized copies. That’s where credential theft, session token theft, and device compromise can become a problem.

When you have remote staff using their own devices, you have to understand that the device is not fully under your control. Family members are using that same computer to install their own applications, clicking on ads, using the same browser, and that is the same device that connects to your Microsoft 365 or Google Workspace or your CRM or your finance systems.

So when you look at it that way, proxyware is not just some weird application that an employee's child installed. It is software that is routing network traffic through a device that has access to your business systems, and you have no control over it.

How This Becomes a Problem for Organizations

1. Endpoint Compromise Becomes Identity Compromise

If the application drops malware, or if the installer has been modified to include something malicious, then the risk is no longer just about your IP address being used. Now you are looking at stolen session tokens and stolen credentials.

The FBI has documented cases where people installed what they thought were free applications but were actually installing proxy backdoors without knowing it. The criminals could then route their activity through these devices. But if you are thinking about this from an organization's perspective, the bigger concern is what else can those backdoors do when they are sitting on a device that has access to corporate systems.

2. When Corporate Access Gets Disrupted and Employees Try to Work Around It

When your IP address gets associated with proxy network abuse, it damages your reputation with various services. What happens then is that employees start seeing CAPTCHAs everywhere, or they get blocked, or they have to deal with extra sign-in challenges when trying to access corporate platforms.

The impact on the business is that people lose productivity, but the worse part is what employees do to try to fix the problem on their own. They disable security features, they start using personal email, they bypass the approved VPN or single sign-on. And this just makes things worse because now you have a new problem on top of the original one.

3. Policy, Legal, and Compliance Problems

Even if the application itself is legitimate, it could still be violating your acceptable use policies or your ISP's terms of service or your own corporate security requirements. But the bigger issue is this: if that device is being used for work, then your organization might end up having to deal with incident response for activity that traces back to an employee's home IP address. That could mean abuse complaints showing up, or even investigators asking questions.

If you look at the FBI's IC3 guidance on 911 S5, you can see how attribution and liability can become a serious problem for organizations.

4. Criminals Use This as Another Way In

Even when the platform itself is not designed to be malicious, it still attracts criminals because of what they can do with it. Cisco Talos has documented how threat actors are using and abusing proxyware for their operations. What this means is that anyone who is contributing their endpoint to these networks is taking on more risk, and so are the organizations that those endpoints connect to.

This is Not Theoretical, It is Happening Now

Security firm Infoblox did a review of their customer traffic and what they found was that almost 25% of their enterprise customers had at least one device that was querying domains related to Kimwolf since October 2025.

This was affecting organizations in education, healthcare, government, and finance. Infoblox explained what was happening: a device like a phone or a laptop would get compromised by criminals, and then they would use it to probe the local network looking for other vulnerable devices.

Riley Kilmer, founder of Spur.us (a company that helps organizations identify proxy traffic), put it this way: “If you know you have [proxy] infections that are located in a company, you can choose that [network] to come out of and then locally pivot. If you have an idea of where to start or look, now you have a foothold in a company or an enterprise based on just that.

The FBI’s own guidance on the 911 S5 botnet specifically calls out this risk: “For organizations that employ Bring Your Own Devices (B.Y.O.D.) policies, they may have inadvertent connections to the 911 S5 proxy botnet.”

Why This Matters for Your Organization

The outcome is not guaranteed compromise. But it is an avoidable risk increase with negligible reward.

Your organization is now depending on the integrity of a device that may be running proxy software, local VPN services, or unknown background agents. That undermines BYOD governance because this is a category of software designed to externalize control of a critical asset, the endpoint’s network identity.

The 2026 Threat Landscape Makes This Worse

Residential proxy infrastructure is now a core enabler for modern fraud and bot activity because it looks like normal human traffic. Cyber criminals want residential, not datacenter.

As I write this in January 2026, we’re watching another massive residential proxy botnet called Kimwolf spread through consumer devices. Security researchers estimate it’s already infected over 2 million devices globally, primarily Android TV boxes and streaming devices.

Diagram illustrating the Kimwolf botnet spread pattern. At the center, a cartoon Android TV box with a cute cat logo serves as the infection source. Blue dotted lines radiate outward to other home devices: laptop, smartphone, smart speaker, and Wi-Fi router. An additional arrow labeled "Network-to-Network Spread" extends to a neighboring house, showing how the botnet jumps between homes. Clean educational diagram style with friendly device icons on white background.

Kimwolf spreads by tunneling through legitimate residential proxy networks, using the infrastructure of services like the ones I’ve been describing to find and compromise new devices on local networks, this could be a laptop used by a remote staff. Two-thirds of the infections are Android TV boxes that shipped with zero security. Some came pre-infected from the factory.

To give you an idea of how big this problem is:

  • Cloudflare reported peak DDoS attack rates of 29.7 terabits per second.
  • Almost 25% of enterprise customers at Infoblox had devices querying Kimwolf-related domains.
  • Infections were found in government, healthcare, finance, and education networks.
  • And Kimwolf does not just sit there, it scans the local network looking for other devices to compromise and it can even manipulate DNS settings on local routers.

What People Do Not Understand is That Legitimate Does Not Mean Safe

Yes, some of these applications do actually pay you. But just because you are getting paid does not mean it is safe. What you should be asking yourself is this: are you comfortable letting someone else use your home IP address knowing that you will not be able to prove what traffic came from you and what came from someone else?

For most people, the money you get from these applications is not worth the risk you are taking on.

If you are thinking about this from an organization's perspective, you need to ask yourself whether you are okay with your network security depending on what your employees' family members decide to install on the home computer.

What You Can Do About This

If your organization has remote workers, or you allow employees to use their own devices, or you have people accessing corporate resources from their home networks, then you need to start thinking about this as a security issue.

Empowering cartoon illustration of a confident female IT professional with glasses and teal blazer, arms crossed in a friendly pose. Behind her on the left: a policy checklist with green checkmarks and a security shield. On the right: MDM-enabled phone, network segmentation diagram, and monitoring dashboard. Green gradient background with sparkles. Bold text reads "You can fix this." Optimistic, action-oriented tone emphasizing solutions over problems.

Policy Updates

  • Your policies should explicitly ban proxyware and bandwidth-sharing applications on any device that accesses company systems. And this should not be limited to just corporate-owned devices, it needs to include personal devices as well.
  • You should also include proxyware in your security awareness training. Most employees have never even heard of these applications, and the ones who have probably do not understand what they are actually agreeing to when they install them.
  • Give your staff a simple rule to remember: do not trade your IP address for pocket money on any device that you use for work.

Technical Controls You Can Implement

  • For cloud access, you should require device compliance. This means things like MDM enrollment, having an EDR agent installed, making sure the OS is patched, and requiring disk encryption.
  • If you have BYOD, use application protection or work containers to keep work data separate from personal applications. That way, if the personal side gets compromised, it does not automatically mean the work side is compromised too.
  • Set up conditional access policies so that you can block access from devices that have unknown or risky network agents running on them.
  • Give your remote workers guidance on network segmentation. Encourage them to put their work devices on an isolated network at home, like a guest WiFi or a separate VLAN if they know how to set that up.
  • Your security team should be monitoring for proxy-related indicators. That means watching for DNS queries going to known botnet domains and looking for unusual outbound traffic patterns.

Resources for Detection

  • Synthient has a Kimwolf checker at synthient.com/check where employees can verify if their home IP is associated with the botnet.
  • The FBI has guidance on 911 S5 at fbi.gov/911S5 which gives you a step-by-step guide to check for and remove proxy backdoor malware.

If You’re Already Using One of These Applications (Individual Users)

Reassuring cartoon illustration of a calm young person in an orange shirt, thoughtfully looking at their smartphone with a gentle smile. Beside them, a notepad displays a simple checklist with green checkmarks: "Uninstall App," "Check IP," and "Scan Network." Above the notepad, friendly text reads "It's okay!" with small sparkles. Warm, soft colors create a supportive, non-alarming tone encouraging users to take simple corrective steps.

Do not panic. Just because you have one of these installed does not mean you have been implicated in anything criminal. But you should be careful and deliberate about what you do next.

Here is what you should do right now:

  1. Uninstall the application. The few dollars you are getting is not worth the risk you are taking.
  2. Check if your IP has been flagged. If you are suddenly seeing CAPTCHAs everywhere or you are having trouble accessing banking sites, that is a warning sign that something is wrong. You can also use the Synthient Kimwolf checker at synthient.com/check to see if your IP has been affected.
  3. Check your network for compromised devices. If you have cheap Android TV boxes or streaming devices at home, look into whether they are on the list of known compromised models. If it turns out that yours is infected, security researchers recommend that you wipe it or destroy it completely. And by destroy I mean never use it again.

If You Still Want to Do This Anyway

If you are determined to use one of these applications anyway, here is how you can at least reduce some of the risk:

Steps to isolate the risk:

  • Put the device on a guest WiFi network or an isolated VLAN so that it does not have access to your personal or work devices.
  • Use a spare device for this, not your primary phone or anything that connects to work systems.
  • Keep an eye on your router for unusual outbound traffic patterns.
  • And have a rollback plan ready, which means being prepared to uninstall, rotate your IP if your provider allows it, and watch for any service blocks that start showing up.

But here is the reality: even if you isolate the device, you are only reducing the risk to your other devices. You are not removing the attribution risk. Your IP is still your IP. If I am being honest, I would not bother going through all of this, just do not install these applications in the first place.

Questions You Should Ask Before Installing Anything

Before you sign up for any bandwidth-sharing service, you should try to get answers to the following questions:

  • Who owns the network and who is buying access to it?
  • What kind of traffic is allowed and what is explicitly prohibited?
  • Do they have audit logs or transparency reports that you can look at?
  • What happens if law enforcement contacts them about activity that came from your IP address?
  • And what permissions does the application need on your device?

If you cannot get clear answers to these questions, that should tell you something about whether you should trust them.

The Bottom Line

When an ad says “earn passive income by sharing WiFi,” translate it to what it really means: You’re being paid to become infrastructure.

Sometimes that’s fine. Often it’s riskware. And in the wrong hands, it’s an investigation waiting to happen, or a foothold into your employer’s network.

References:

  • FBI: How to Identify and Remove VPN Applications That Contain 911 S5 Backdoors - fbi.gov
  • FBI IC3: Guidance on the 911 S5 Residential Proxy Service - ic3.gov
  • DOJ: 911 S5 Botnet Dismantled and Its Administrator Arrested - justice.gov
  • Trend Micro: Hijacking Your Bandwidth - How Proxyware Apps Open You Up to Risk - trendmicro.com
  • Cisco Talos: Adversarial Abuse of Proxyware - blog.talosintelligence.com
  • Infoblox: Kimwolf Botnet Risks for Enterprises and Institutions - infoblox.com
  • Krebs on Security: The Kimwolf Botnet Is Stalking Your Local Network - krebsonsecurity.com
  • Krebs on Security: Kimwolf Botnet Lurking in Corporate, Govt. Networks - krebsonsecurity.com
  • Synthient: A Broken System Fueling Botnets - synthient.com

Read more