Infrawatch Uncovers Belarusian-Run Residential Proxy Network Inside U.S. Homes

A new investigation by Infrawatch, in collaboration with KrebsOnSecurity, has revealed that a Belarusian national is covertly operating a distributed residential proxy network across U.S. infrastructure, leveraging unsuspecting American households to provide anonymized access to the internet.

According to the report, “Infrawatch assesses with high confidence that DSLRoot operates a distributed residential proxy network across U.S. infrastructure, using hardware deployed in at least 20 states. The network is managed by a Belarusian national with documented residential presence in Minsk and Moscow.”

The network, dubbed DSLRoot, has been active since at least 2012 and currently spans more than 300 active hardware devices across the United States. What sets it apart is its deployment method: instead of mobile SDKs or software tricks, DSLRoot installs dedicated hardware in American residences, giving foreign operators persistent access to U.S. IP addresses.

The exposure of DSLRoot came on 8 August 2025, when an individual posted on a public forum asking about hosting equipment. Infrawatch identified the poster as “an Ohio-based Air National Guard serviceman assigned to a cyber operations unit, unknowingly hosting foreign-controlled infrastructure in his home.”

This revelation underscores the danger of how easily foreign adversaries can infiltrate American networks—even through trusted members of the military—by disguising proxy devices as innocuous hardware.

DSLRoot’s operation is sophisticated and persistent:

• Custom Proxy Software: Known as DSLPylon, it runs on Windows and was compiled on a Russian-language system. It sets up SOCKS5 and HTTP proxies on ports 3129 and 110 without authentication.
• Router & Modem Exploitation: The malware can remotely control modems from ARRIS/Motorola, Belkin, D-Link, and ASUS, often using vendor-specific exploits or hardcoded credentials. For example, it exploits a CSRF flaw in ARRIS Surfboard modems to force reboots and configuration changes.
• Mobile Device Integration: Through Android Debug Bridge (ADB), DSLRoot can manipulate connected smartphones, including toggling airplane mode and resetting cellular connections—fitting into its related 4G proxy services.
• IP Rotation: Every 30 minutes, the system forces a modem reboot to obtain a new DHCP lease, providing clients with constantly shifting U.S. residential IPs.

DSLRoot is openly advertised on BlackHatWorld, a forum specializing in underground marketing techniques, under the alias GlobalSolutions. Subscriptions are sold at $190 per month for unlimited access, with discounts for longer commitments. Customers are given a proxy management dashboard showing the state, city, and current users of each device.

The operator also maintains side businesses, including virtual credit card services and company formation assistance, catering to both English and Russian-speaking markets.

Through OSINT analysis, Infrawatch attributes DSLRoot to Andrei Holas (a.k.a. Andre Holas, Andrei Golas), a Belarusian national. He operates under the alias ryzhik777 (“ginger” in Russian) and has been linked through multiple email accounts and domains, including dslbay[.]com, rdslpro[.]com, and virtualcards[.]biz.

Evidence of Holas’ presence in both Minsk and Moscow is strong: food delivery and courier records show consistent residential activity in both cities. Infrawatch concludes: “The pattern of repeated food deliveries to consistent addresses in both Moscow and Minsk suggests Holas maintains regular living arrangements in both cities, spending considerable time at each location.”

DSLRoot exemplifies the evolving landscape of cyber infrastructure abuse, blending technical sophistication, underground marketing, and operational tradecraft. As Infrawatch warns, “DSLRoot operates without authentication, allowing clients to route traffic anonymously through U.S. residential IPs.”

Related Posts:

• Hackers attack Belarusian Railway systems
• Angler Exploit Kit Architect Wanted: U.S. Puts $2.5M Bounty on Belarusian Cybercriminal
• China Targets U.S. Tech Startups through Investments, NCSC Reveals