A technology vendor’s account of what its software is, what it is not, and why responsible research matters to the integrity of the whole discussion.
Over the last several days, two publications in the cybersecurity press have covered a piece of research into the mobile proxy software market, in which ProxySmart is named. Neither the research itself nor the first publication that carried it was preceded by any attempt to contact us. The second publication ran without a request for comment. We learned of the research through a third journalist who forwarded the original URL while asking us to react for balance.
This short essay is our response. It is not a grievance and it is not a legal threat. It is an attempt to put on the public record what our software actually is, what it is not, where the characterisations we have read go wrong technically, and what we believe responsible threat research in this space ought to look like. We hope it is useful to anyone trying to make sense of the coverage.
What ProxySmart is
ProxySmart is a data-path proxy management platform. Its function is narrow and specific: it routes IP traffic through a mobile data connection, so that a client’s HTTP or SOCKS request reaches its destination via an IP address assigned by a mobile carrier. That is the entirety of what the product does at the networking layer. There are no voice primitives in it. There is no capability to originate or terminate calls, no interconnect functionality, no bulk SMS origination. SMS and USSD handling inside the product is limited to receiving carrier notifications and handling service-level messages such as balance checks and activation codes. The product cannot, by design, be repurposed to send SMS campaigns or carry voice traffic, because the primitives required for that simply are not in the software.
This matters because some of the recent coverage has framed ProxySmart deployments using language borrowed from the SIM farm cases dismantled by European and United States authorities over the past year. Those cases concerned GSM and SIP gateway hardware whose purpose is voice termination and SMS origination at industrial scale. The infrastructure targeted in those operations existed to run SIM box fraud, bypass international interconnect settlement, and flood carrier networks with fraudulent voice calls and SMS. That is what the term “SIM farm” means technically. ProxySmart is none of that. Conflating the two conflates materially different categories of infrastructure with materially different harm profiles, and it misinforms readers about what actually exists at the deployments described in the research.
What deployments actually look like in practice
The research gives equal weight to two deployment models: smartphones running an Android app, and USB 4G/5G modems. In reality the smartphone path is a legacy option. It is effectively frozen and sees very little active use. The overwhelming majority of current deployments are built on IoT-class cellular equipment — industrial LTE and 5G modules from vendors such as Quectel and Sierra Wireless, and carrier-branded routers sold directly through mobile operators. These devices sit in the carriers’ own lists of authorised equipment. They work in standard frequency bands, in stock configurations, without external amplification or non-standard antennas. To a carrier, the traffic looks like ordinary machine-to-machine activity on authorised hardware, because that is what it is.
This is the opposite of the hardware profile involved in the SIM farm operations the research points to. Those operations involved amplifier-heavy rack setups, modified devices, and infrastructure specifically engineered to evade carrier-level detection. ProxySmart deployments do not look like that and are not configured for that.
The choice of IoT-class equipment is deliberate on our part. A single device in this class costs roughly $150 to $500, and the software itself is written to run on server-class Linux infrastructure rather than a consumer desktop. This puts a real technical and financial floor under the product. ProxySmart is not something that can be stood up casually. It takes capital, server infrastructure, and operational expertise. That barrier is a feature, not a flaw. It narrows the operator pool toward established commercial players and institutional users, and away from the casual misuse the recent research treats as the dominant mode.
Hardware identity and a note on “spoofing”
We do not support IMEI modification. The software contains no capability to alter hardware identifiers, and we do not endorse any downstream practice that does. IP rotation in the product is achieved through carrier-native mechanisms — reconnecting to the cellular network by toggling the radio on devices that expose that interface. Rotating an IP through a carrier’s own reassignment process is a fundamentally different thing from presenting false device identity, and the product is built for the first, not the second.
The research’s description of “OS fingerprint spoofing” deserves a closer look, because the label carries an implication of evasion that does not accurately describe the feature. Every proxy, by definition, routes traffic through intermediate infrastructure with its own TCP/IP stack — usually Linux on the proxy host. When a Windows client’s traffic exits through a Linux proxy, the application-level headers still say “Windows”, but the underlying TCP stack behaviour says “Linux”. That mismatch is itself an anomaly. Anti-fraud systems see a client whose upper and lower layers disagree, and they can trigger false positives against legitimate users.
What the feature in question does is restore consistency. It aligns the TCP stack fingerprint with the client’s actual operating system, so the combined signature represents the real client rather than the artefact of having passed through a proxy. In the product, the profile is set by the operator per client, to match the end system the client is actually running. It is not a dynamic evasion switch. The design intent is normalisation, not impersonation. Like any configurable setting, it could in principle be misused by an operator pointing it away from the client’s real OS, but that is a question of operator conduct addressable through policy, not a property of the mechanism.
What this infrastructure is used for
Mobile proxy infrastructure — ours and that of other vendors — underpins a wide range of legitimate commercial and research activity. The use cases we see regularly, in no particular order:
- Advertising verification. Global brands need to confirm that their advertising is rendered correctly, to the correct audience, in the correct geography. A United States brand cannot verify how its Brazilian campaign appears from a United States office network. It needs the experience from a Brazilian mobile IP. This is one of the largest legitimate verticals in the industry.
- Brand protection and counterfeit monitoring. Major brands monitor regional markets for counterfeit listings, unauthorised resellers, and trademark misuse, often on mobile-first marketplaces in Asia, Latin America, and the Middle East. Authentic access to those marketplaces requires local mobile egress.
- Price monitoring and competitive intelligence. Airlines, retailers, and e-commerce platforms monitor competitor pricing across geographies. Mobile IPs are required because significant parts of the market serve mobile clients different pricing than desktop or datacentre clients.
- SEO and search-result verification. Agencies and in-house teams verify search rankings and advertising placement the way mobile users in a specific region actually see them. This cannot be reproduced from datacentre infrastructure.
- Cybersecurity and threat research. Threat-intelligence practices, fraud-detection vendors, and academic researchers operate mobile proxy infrastructure for defensive work: training machine learning models on real adversary behaviour so those patterns can be recognised and blocked, studying mobile-oriented threats, and building anti-fraud systems that need real mobile traffic signals to train against. This is standard practice on the defensive side of the industry.
- Quality assurance and application testing. Developers test applications against real mobile carrier conditions in the regions they deploy to: latency, carrier-specific behaviour, captive portals, IPv6 handling. This work cannot be done from datacentre IPs.
- Academic research. University research groups studying censorship, geo-restrictions, carrier-grade NAT behaviour, and mobile-network content filtering rely on this kind of infrastructure to produce peer-reviewed work.
- Anti-fraud model training. Financial institutions and platform operators training fraud-detection systems need real mobile network signals as training data to distinguish legitimate mobile users from automated fraud. Without authentic mobile IP behaviour, these models cannot be calibrated against real traffic.
Among ProxySmart’s licensees are major vendors operating in the cybersecurity, enterprise-scale testing, and digital-marketing verticals. We are bound by contractual confidentiality and cannot name them, and the specifics of their engagements are likewise under non-disclosure. The category is worth mentioning because it is part of the honest picture of who operates on this stack, and not only the downstream providers visible on the public internet.
The VPN parallel
Mobile proxy services and commercial VPNs are closely adjacent technologies. Both mask a client’s origin IP behind an intermediary. Both serve multiple clients from shared address pools. Both are dual-use tools used overwhelmingly for lawful purposes and occasionally for unlawful ones. The major commercial VPN providers operate at scale on precisely the same underlying premise: routing user traffic through infrastructure that presents an IP address other than the user’s own.
The industry does not characterise commercial VPN providers as inherently criminal infrastructure on the basis that some portion of their users commit fraud, evade sanctions, or abuse platforms, and the reason is correct. The legitimate use case is overwhelming. The abuse is a minority problem handled through specific enforcement. The category itself is lawful. Applying a different standard to mobile proxy infrastructure, which sits in the same dual-use category, does not hold up methodologically.
Framing an entire class of lawful infrastructure as criminal, on the basis of a technology stack it shares with actors who misuse it, is the kind of argument that, applied elsewhere, would cast a shadow over most of the commercial internet.
On what we think responsible research looks like
Our position on this is not a complaint about being criticised. We have no objection to researchers looking at our software, describing it, assessing its ecosystem, or raising concerns about how it is used. That work, done well, is a contribution to the industry and we support it. Our objection is narrower and procedural.
Research that publicly names an organisation as underpinning criminal activity has a professional obligation to engage the named party before publication. The party being accused has to be given sight of what is alleged, the specifics behind it, and a meaningful opportunity to respond. That is how factual errors get corrected before they harden into public record. It is how readers receive a balanced account rather than one side of the picture. This is not an unreasonable standard. It is the standard, observed by serious threat-intelligence practitioners and serious security journalists, for exactly the cases where the stakes of getting it wrong are high.
In this case that step was skipped. There was no pre-publication outreach from the research firm. We were given no opportunity to correct technical misrepresentations or to point out legitimate use cases ahead of readers encountering the claims. We flag this not because we are asking for anything retroactively, but because the pattern is not unique to this instance, and it damages the credibility of threat-intelligence work as a whole. A research product that does not invite confrontation with its subject before publication is not a research product. It is a marketing asset.
What happens next
ProxySmart is open to cooperating with credible research into the misuse of its software. If a researcher wishes to share specific identifiers — deployments, licensees, conduct — we will investigate each and take enforcement action under our Acceptable Use Policy where the conduct warrants it. That door is open, and it has been open for the entirety of this matter.
Over the coming weeks we will also publish an updated Acceptable Use Policy with clearer guidance for licensees on downstream due diligence and abuse handling, and a first transparency report covering how abuse reports have been received and acted upon. Both are part of a broader commitment to being a responsible operator in a segment of the industry that has not always had responsible operators, and to demonstrating through documentation rather than rhetoric what that commitment means in practice.
We remain available to anyone — researcher, reporter, regulator, carrier — who wants to engage with us substantively on what this technology is and what it does. The invitation is standing.
Alex Zak
TECHNICAL CONSULTANT & DIRECTOR OF PUBLIC RELATIONS, PROXYSMART