Inside the ProxySmart Ecosystem: How a Belarusian Platform is Powering a Global SIM Farm-as-a-Service Network

Infrastructure intelligence firm Infrawatch has recently uncovered a sprawling, globally distributed SIM Farm-as-a-Service ecosystem, all orchestrated through a single software platform known as ProxySmart. The investigation mapped 87 exposed control panels across 17 countries and traced them back to at least 94 physical phone-farm locations. For security, fraud prevention, and compliance teams, this discovery highlights a rapidly evolving threat vector that blends consumer-grade hardware with enterprise-level automation.

At its core, a SIM farm is a physical rack of smartphones or 4G/5G USB modems, each provisioned with active SIM cards and continuously connected to mobile carrier networks. Rather than relying on static datacenter IPs, these farms generate large volumes of mobile IP addresses and phone numbers on demand. This architecture makes them exceptionally effective for bypassing SMS-based verification, rotating egress addresses, and orchestrating large-scale bot automation.

What makes mobile proxy infrastructure particularly challenging to mitigate is that mobile IPs sit behind carrier-grade NAT (CGNAT). In this model, a single public IP address is shared across hundreds or thousands of devices simultaneously. Traditional IP reputation lists and static blocklists, therefore, often prove far less effective against this type of traffic.

The ProxySmart Platform Architecture

At the center of this operation sits ProxySmart, a turnkey software stack sold to farm operators on a straightforward per-SIM pricing model. Publicly associated with a Belarus-based commercial footprint, the platform delivers a fully integrated, end-to-end commercial pipeline. It handles device provisioning, automated IP rotation, customer onboarding, retail proxy distribution, and payment processing—all through a unified dashboard.

Operators typically self-host the ProxySmart control panel and are advised to route traffic through reverse proxies hosted on mainstream cloud providers like DigitalOcean or Hetzner. This architectural choice intentionally obscures the physical location of the farm, making geolocation-based takedowns significantly more difficult.

Technically, the platform supports both physical smartphones and USB-based 4G/5G modems. On phone-centric deployments, IP rotation is achieved through a clever but low-tech mechanism: toggling the device’s airplane mode for approximately three seconds. This forces the modem to drop and reattach to the cellular tower, triggering the carrier to assign a new egress IP from its dynamic pool. The platform also supports multiple tunneling protocols, including OpenVPN, SOCKS5, VLESS, and standard HTTP proxies. Notably, VLESS is heavily favored in censorship-heavy jurisdictions like Russia, China, and Iran due to its ability to evade deep packet inspection.

A particularly sophisticated capability baked into ProxySmart is OS fingerprint spoofing. By manipulating TCP/IP stack parameters, the platform can make farm traffic mimic the handshake behavior of macOS, iOS, Windows, or Android devices. This directly undermines behavioral fraud detection systems that rely on client-side telemetry to distinguish between legitimate users and automated infrastructure.

Global Footprint and Carrier Integration

Infrawatch’s analysis identified 87 distinct ProxySmart control panel instances across 17 countries, linked to at least 24 commercial proxy providers and 35 cellular carriers. The physical infrastructure spans 94 locations across North America, Europe, and South America, with a notable concentration in 19 U.S. states ranging from California and Texas to Maine and Delaware.

Carrier connectivity is deliberately diversified. Operators route SIM traffic through major global networks including AT&T, Verizon, T-Mobile, Vodafone, EE, O2, Deutsche Telekom, Telstra, Rogers, and dozens of regional MVNOs. This multi-carrier distribution strategy serves two primary purposes: it exponentially expands the available IP address pool, and it distributes risk to evade carrier-level enforcement or bulk SIM suspension policies.

Fraud Enablement and the KYC Gap

The technical capabilities of ProxySmart translate directly into real-world abuse. Documented exploitation vectors include SMS OTP interception, synthetic account creation, social media automation, and payment gateway fraud. Perhaps more concerning is the regulatory blind spot: Infrawatch found that meaningful Know Your Customer (KYC) verification was largely absent across downstream proxy providers. Several services explicitly advertise that identity verification is not required, effectively lowering the barrier for malicious actors.

SIM Farm Device Control Interface (Source: Infrawatch)

Several proxy services built on this stack are marketed directly to Russian-speaking audiences, positioning themselves as tools to access geo-restricted Western platforms and circumvent state-level censorship. This dual-use nature complicates enforcement, as legitimate privacy tools and malicious automation infrastructure often share the same underlying architecture.

The discovery aligns with a broader wave of regulatory action. In September 2025, the U.S. Secret Service dismantled a telecommunications threat in New York involving over 300 SIM servers and 100,000 SIM cards. Shortly after, in October 2025, a Europol-supported operation in Latvia disrupted a SIM-box cybercrime network, resulting in seven arrests and the seizure of 1,200 devices and 40,000 active SIMs.

Why IP-Based Controls Fall Short

Infrawatch assesses that ProxySmart materially lowers the barrier to operating and reselling mobile proxy infrastructure at scale. The platform essentially commodifies what was once a highly technical, hardware-intensive operation, making it accessible to operators with minimal networking expertise.

For organizations relying on traditional perimeter defenses, this shift demands a change in strategy. IP-based controls alone are insufficient against infrastructure that dynamically rotates through carrier-grade NAT pools and mimics legitimate client fingerprints. Security teams are increasingly advised to adopt internet infrastructure intelligence platforms capable of real-time scanning, ASN correlation, and behavioral validation. By analyzing connection patterns, TLS JA3 fingerprints, and request timing rather than relying solely on IP reputation, organizations can more effectively detect and block traffic originating from SIM farm proxy networks.

As mobile proxy ecosystems continue to mature, the line between legitimate connectivity tools and automated abuse infrastructure will only blur. Proactive monitoring, layered verification, and infrastructure-aware security architectures will be essential to staying ahead of these evolving threat models.

Related Articles

Back to top button