Overview
- Google and partners used court-ordered domain takedowns, DNS disruption with Cloudflare, and intelligence sharing with Spur and Lumen’s Black Lotus Labs to impair IPIDEA’s infrastructure.
- Google Play Protect now warns users, removes identified apps containing IPIDEA SDK code, and blocks future installs on certified Android devices.
- Lumen observed about 8.5 million proxies connecting daily before the action and still sees roughly 5 million bots communicating afterward, indicating a partial but significant degradation.
- IPIDEA scaled through monetization SDKs embedded in apps and trojanized binaries (Castar, Earn, Hex, Packet), using a shared two-tier command system with roughly 7,400 tier-two servers.
- More than 550 distinct threat groups used IPIDEA for access operations, botnet control, and DDoS activity, yet the operators remain unidentified and no arrests have been announced.