The cybersecurity neighborhood on Reddit responded in disbelief this month when a self-described Air Nationwide Guard member with prime secret safety clearance started questioning the association they’d made with firm referred to as DSLRoot, which was paying $250 a month to plug a pair of laptops into the Redditor’s high-speed Web connection in the USA. This put up examines the historical past and provenance of DSLRoot, one of many oldest “residential proxy” networks with origins in Russia and Jap Europe.
The question about DSLRoot got here from a Reddit person “Sacapoopie,” who didn’t reply to questions. This person has since deleted the unique query from their put up, though a few of their replies to different Reddit cybersecurity fans stay within the thread. The unique put up was listed right here by archive.is, and it started with a query:
“I’ve been getting paid 250$ a month by a residential IP community supplier named DSL root to host gadgets in my dwelling,” Sacapoopie wrote. “They’re on a separate community than what we use for private use. They’ve devoted DSL connections (one per host) to the ISP that gives the DSL protection. My household used Starlink. Is that this silly for me to do? They simply sit there and I receives a commission for it. The corporate pays the web invoice too.”
Many Redditors stated they assumed Sacapoopie’s put up was a joke, and that no one with a cybersecurity background and top-secret (TS/SCI) clearance would comply with let some shady residential proxy firm introduce {hardware} into their community. Different readers pointed to a slew of posts from Sacapoopie within the Cybersecurity subreddit over the previous two years about their work on cybersecurity for the Air Nationwide Guard.
When pressed for extra particulars by fellow Redditors, Sacapoopie described the tools provided by DSLRoot as “simply two laptops hardwired right into a modem, which then goes to a dsl port within the wall.”
“Once I open the pc, it appears to be like like [they] have some form of customized utility that runs and spawns a number of cmd prompts,” the Redditor defined. “All I can infer from what I see in them is they’re making connections.”
When requested how they grew to become acquainted with DSLRoot, Sacapoopie advised one other person they found the corporate and reached out after viewing an commercial on a social media platform.
“This was most likely 5-6 years in the past,” Sacapoopie wrote. “Since then I simply talk with a technician from that firm and I assist hassle shoot connectivity points after they come up.”
Reached for remark, DSLRoot stated its model has been unfairly maligned because of that Reddit dialogue. The unsigned e mail stated DSLRoot is absolutely clear about its objectives and operations, including that it operates beneath full consent from its “regional brokers,” the corporate’s time period for U.S. residents like Sacapoopie.
“As though we help sincere journalism, we’re towards of every kind of ‘low rank/deceptive Yellow Journalism’ carried out for the sake of low-cost hype,” DSLRoot wrote in reply. “It’s apparent to us that whoever is doing this, is both missing a correct understanding of the topic or doing it deliberately to achieve publicity by deceptive those that lack correct understanding,” DSLRoot wrote in reply to questions in regards to the firm’s intentions.
“We monitor our purchasers and prohibit any criminal activity related to our residential proxies,” DSLRoot continued. “We actually didn’t know that the man who made the Reddit put up was a navy man. Be it an African-American granny making an attempt to pay her lease or a white child making an attempt to get by school, so long as they will present an Web line or host telephones for us — we’re good.”
WHAT IS DSLROOT?
DSLRoot is offered as a residential proxy service on the discussion board BlackHatWorld beneath the identify DSLRoot and GlobalSolutions. The corporate is predicated within the Bahamas and was fashioned in 2012. The service is marketed to people who find themselves not in the USA however who need to seem to be they’re. DSLRoot pays folks in the USA to run the corporate’s {hardware} and software program — together with 5G cell gadgets — and in return it rents these IP addresses as devoted proxies to clients anyplace on the planet — priced at $190 per 30 days for unrestricted entry to all places.
The DSLRoot web site.
The GlobalSolutions account on BlackHatWorld lists a Telegram account and a WhatsApp quantity in Mexico. DSLRoot’s profile on the advertising company digitalpoint.com from 2010 reveals their earlier username on the discussion board was “Incorptoday.” GlobalSolutions person accounts at bitcointalk[.]org and roclub[.]com embrace the e-mail clickdesk@instantvirtualcreditcards[.]com.
Passive DNS data from DomainTools.com present instantvirtualcreditcards[.]com shared a number again then — 208.85.1.164 — with only a handful of domains, together with dslroot[.]com, regacard[.]com, 4groot[.]com, residential-ip[.]com, 4gemperor[.]com, ip-teleport[.]com, proxysource[.]web and proxyrental[.]web.
Cyber intelligence agency Intel 471 finds GlobalSolutions registered on BlackHatWorld in 2016 utilizing the e-mail handle prepaidsolutions@yahoo.com. This person shared that their birthday is March 7, 1984.
A number of destructive critiques about DSLRoot on the boards famous that the service was operated by a BlackHatWorld person calling himself “USProxyKing.” Certainly, Intel 471 reveals this person advised fellow discussion board members in 2013 to contact him on the Skype username “dslroot.”
USProxyKing on BlackHatWorld, soliciting installations of his adware through torrents and file-sharing websites.
USProxyKing had a status for spamming the boards with adverts for his residential proxy service, and he ran a “pay-per-install” program the place he paid associates a small fee every time considered one of their web sites resulted within the set up of his unspecified “adware” packages — presumably a program that turned host PCs into proxies. On the opposite finish of the enterprise, USProxyKing offered that pay-per-install entry to others wishing to distribute questionable software program — at $1 per set up.
Personal messages listed by Intel 471 present USProxyKing additionally raised cash from almost 20 totally different BlackHatWorld members who have been promised shareholder positions in a brand new enterprise that may supply robocalling companies able to putting 2,000 calls per minute.
Constella Intelligence, a platform that tracks knowledge uncovered in breaches, finds that very same IP handle GlobalSolutions used to register at BlackHatWorld was additionally used to create accounts at a handful of websites, together with a GlobalSolutions person account at WebHostingTalk that provided the e-mail handle incorptoday@gmail.com. Additionally registered to incorptoday@gmail.com are the domains dslbay[.]com, dslhub[.]web, localsim[.]com, rdslpro[.]com, virtualcards[.]biz/cc, and virtualvisa[.]cc.
Recall that DSLRoot’s profile on digitalpoint.com was beforehand named Incorptoday. DomainTools says incorptoday@gmail.com is related to virtually two dozen domains going again to 2008, together with incorptoday[.]com, a web site that provides to include companies in a number of states, together with Delaware, Florida and Nevada, for costs starting from $450 to $550.
As we are able to see in this archived copy of the location from 2013, IncorpToday additionally provided a premiere service for $750 that may permit the client’s new firm to have a retail checking account, with no questions requested.
International Options is ready to present entry to the U.S. banking system by providing clients pay as you go playing cards that may be loaded with quite a lot of digital cost devices that have been well-liked in Russian-speaking international locations on the time, together with WebMoney. The playing cards are restricted to $500 balances, however non-Westerners can use them to anonymously pay for items and companies at quite a lot of Western firms. Cardnow[.]ru, one other area registered to incorptoday@gmail.com, demonstrates this in motion.
A replica of Incorptoday’s web site from 2013 gives non-US residents a service to include a enterprise in Florida, Delaware or Nevada, together with a no-questions-asked checking account, for $750.
WHO IS ANDREI HOLAS?
The oldest area (2008) registered to incorptoday@gmail.com is andrei[.]me; one other is known as andreigolos[.]com. DomainTools says these and different domains registered to that e mail handle embrace the registrant identify Andrei Holas, from Huntsville, Ala.
Public data point out Andrei Holas has lived along with his brother — Aliaksandr Holas — at two totally different addresses in Alabama. These data state that Andrei Holas’ birthday is in March 1984, and that his brother is barely youthful. The youthful brother didn’t reply to a request for remark.
Andrei Holas maintained an account on the Russian social community Vkontakte beneath the e-mail handle ryzhik777@gmail.com, an handle that reveals up in quite a few data hacked and leaked from Russian authorities entities over the previous few years.
These data point out Andrei Holas and his brother are from Belarus and have maintained an handle in Moscow for a while (that handle is roughly three blocks away from the principle headquarters of the Russian FSB, the successor intelligence company to the KGB). Hacked Russian banking data present Andrei Holas’ birthday is March 7, 1984 — the identical beginning date listed by GlobalSolutions on BlackHatWorld.
A 2010 put up by ryzhik777@gmail.com on the Russian-language discussion board Ulitka explains that the poster was having hassle getting his B1/B2 visa to go to his brother in the USA, regardless that he’d beforehand been permitted for 2 separate visitor visas and a scholar visa. It stays unclear if one, each, or neither of the Holas brothers nonetheless lives in the USA. Andrei defined in 2010 that his brother was an American citizen.
LEGAL BOTNETS
We will all wag our fingers at navy personnel who ought to undoubtedly know higher than to put in Web {hardware} from strangers, however in fact there’s an countless provide of U.S. residents who will resell their Web connection if it means they will make a couple of bucks out of it. And as of late, there are many residential proxy suppliers who will make it price your whereas.
Historically, residential proxy networks have been constructed utilizing malicious software program that quietly turns contaminated programs into visitors relays which might be then offered in shadowy on-line boards. Most frequently, this malware will get bundled with well-liked cracked software program and video information which might be uploaded to file-sharing networks and that secretly flip the host gadget right into a visitors relay. The truth is, USPRoxyKing bragged that he routinely achieved hundreds of installs per week through this technique alone.
As of late, there a lot of residential proxy networks that entice customers to monetize their unused bandwidth (inviting you to violate the phrases of service of your ISP within the course of); others, like DSLRoot, act as a communal VPN, and through the use of the service you achieve entry to the connections of different proxies (customers) by default, however you additionally comply with share your reference to others.
Certainly, Intel 471’s archives present the GlobalSolutions and DSLRoot accounts routinely acquired personal messages from discussion board customers who have been school college students or younger folks making an attempt to make ends meet. These messages present that lots of DSLRoot’s “regional brokers” typically sought commissions to refer mates curious about reselling their dwelling Web connections (DSLRoot would supply to cowl the month-to-month price of the agent’s dwelling Web connection).
However in an period when North Korean hackers are relentlessly posing as Western IT employees by paying folks to host laptop computer farms in the USA, letting strangers run laptops, cell gadgets or some other {hardware} in your community looks like an awfully dangerous transfer no matter your station in life. As a number of Redditors identified in Sacapoopie’s thread, an Arizona girl was sentenced in July 2025 to 102 months in jail for internet hosting a laptop computer farm that helped North Korean hackers safe jobs at greater than 300 U.S. firms, together with Fortune 500 corporations.
Lloyd Davies is the founding father of Infrawatch, a London-based safety startup that tracks residential proxy networks. Davies stated he reverse engineered the software program that powers DSLRoot’s proxy service, and located it telephones dwelling to the aforementioned area proxysource[.]web, which sells a service that guarantees to “get your adverts dwell in a number of cities with out getting banned, flagged or ghosted” (presumably a reference to CraigsList adverts).
Davies stated he discovered the DSLRoot installer had capabilities to remotely management residential networking tools throughout a number of vendor manufacturers.
Picture: Infrawatch.app.
“The software program employs vendor-specific exploits and hardcoded administrative credentials, suggesting DSLRoot pre-configures tools earlier than deployment,” Davies wrote in an evaluation revealed right this moment. He stated the software program performs WiFi community enumeration to determine close by wi-fi networks, thereby “probably increasing focusing on capabilities past the first web connection.”
It’s unclear precisely when the USProxyKing was usurped from his throne, however DSLRoot and its proxy choices will not be what they was once. Davies stated all the DSLRoot community now has fewer than 300 nodes nationwide, largely programs on DSL suppliers like CenturyLink and Frontier.
On Aug. 17, GlobalSolutions posted to BlackHatWorld saying, “We’re restructuring our enterprise mannequin by downgrading to ‘DSL solely’ traces (no cell or cable).” Requested through e mail in regards to the modifications, DSLRoot blamed the decline in his clients on the proliferation of residential proxy companies.
“As of late it has develop into virtually not possible to compete on this area of interest as everyone seems to be promoting residential proxies and plenty of firms need you to put in a bit of software program in your cellphone or desktop to allow them to resell your residential IPs on a a lot bigger scale,” DSLRoot defined. “So-called ‘authorized botnets’ as we see them.”
