Executive Summary

On 8 August 2025, an individual posted on a public forum asking about hosting equipment for DSLRoot, a residential proxy provider. The poster was identified with high confidence as an Ohio-based Air National Guard serviceman assigned to a cyber operations unit, unknowingly hosting foreign-controlled infrastructure in his home.

Unlike typical providers that scale via mobile SDKs, DSLRoot deploys dedicated hardware into American residences, creating persistent managed access to U.S. home networks. The network predominantly uses IP space from CenturyLink (Lumen) and Frontier.

Attribution analysis identifies the operator as a Belarusian national with residential presence in Minsk and Moscow. DSLRoot is estimated to operate roughly 300 active hardware devices across 20+ U.S. states. The operator’s presence in Belarus and Moscow is a geographic factor of note, given the deployment of residential proxy hardware in the U.S.

Technical analysis shows DSLRoot’s custom software provides automated remote management of consumer modems (ARRIS/Motorola, Belkin, D-Link, ASUS) and Android devices via ADB, enabling IP address rotation and connectivity control. The network operates without authentication, allowing clients to route traffic anonymously through U.S. residential IPs.

The operators also maintain related services, including virtual credit card issuance and company formation, targeting both English- and Russian-speaking markets.

At the end of this post, we provide a list of IP addresses associated with DSLRoot proxies for reference and research purposes.

Analysis

DSLRoot is advertised on BlackHatWorld by a user operating under the alias GlobalSolutions, offering physical residential ADSL proxies for sale. The company was likely first operational in 2012, and uses the domain dslroot[.]com, offering support through Telegram. Their corporate structure and location are not transparent.

The service spans over 20 U.S. states, including major regions such as the East Coast, West Coast, and Midwest. Pricing is $190 per month for unrestricted access to all locations, with discounted rates of $990 for six months and $1,750 for annual subscriptions.

Upon login, the user is presented with a dashboard - containing the State, City and active number of users currently using the device. The dashboard can be observed below in Figure 1.

Figure 1 - DSLRoot Client Dashboard

Initial Findings

Initial analysis of DSLRoot's publicly accessible dashboard revealed an exposed static IP address 93.125.1[.]209 (AS 50590, PE NETBERRY) geolocated to Minsk, Belarus.

The exposed Belarusian IP address hosts the domain shdwsl[.]com, which resolves directly to 93.125.1[.]209.

Associated infrastructure analysis revealed subdomain resolution traces to 185.251.38[.]102, which hosts simple-proxies[.]com. This secondary domain is assessed with high confidence to represent another proxy service at one time operated by the same entity.

The infrastructure analysis provided the initial indication prompting deeper investigation into DSLRoot's actual operational structure and beneficial ownership, ultimately leading to the attribution findings detailed in subsequent sections.

BlackHatWorld

BlackHatWorld (BHW) is an online forum specialising in alternative SEO techniques and internet marketing methods. The platform hosts a substantial residential proxy marketplace, catering to users engaged in activities requiring them. DSLRoot is advertised on BHW under the account GlobalSolutions.

The BHW account GlobalSolutions was registered using email address prepaidsolutions[@]yahoo.com, the birth date of 07/03/1984, from IP address 66.199.231[.]251 (AS 15149, EZZI-101-BGP, "Ezzie")-a provider that has had a large, documented history of spam and other interesting activity.

Further investigation identified a related account on WebHostingTalk forums using the username GlobalSolutions with email address incorptoday[@]gmail.com, registered from the same IP address 66.199.231[.]251. The shared infrastructure and consistent username pattern across both platforms establishes linkage between the accounts.

Individual Attribution

Investigation of the email address incorptoday[@]gmail.com established with high confidence attribution to an individual identified as Andrei Holas (a.k.a. Andre Holas, Andrei Golas). Multiple OSINT sources confirm Andrei Holas uses his birth date of **/03/1984 consistently across platforms, matching the GlobalSolutions registration data, along with several associated domains:

• andreigolos[.]com

• dslbay[.]com

• rdslpro[.]com

• virtualcards[.]biz

• cardnow[.]ru

This consistency in personal information across independent OSINT sources provides strong evidentiary support linking the GlobalSolutions persona to Andrei Holas. Figure 2 provides an overview of the connections to DSLRoot and other services.

Figure 2 - Individual Attribution Overview

Andrei Holas operates under the alias ryzhik777, derived from the Russian word "рыжик" meaning "ginger," utilising the associated email address [email protected].

OSINT data consistently attributes the alias Andrei Holas (Cyrillic: Голос Андрей) to the operator. Account registrations for the Russian streaming service START under this alias originate from IP 46.56.202[.]82, geolocated to Minsk, Belarus.

Food delivery records from Yandex Food document multiple orders to the Moscow address: Bolshoy Afanasyevsky Lane, 35-37с4, Moscow, 119019, with parallel Papa Johns account registration, indicating sustained residential presence in the Russian capital. The frequency of delivery orders to the same address suggests regular occupancy rather than occasional visits.

Parallel residential activities in Belarus include documented food delivery orders to Minsk addresses including Ulitsa Yakuba Kolasa, 59k2, Minsk 220113, Belarus.

Additionally, multiple Russia-based courier service registrations across both countries indicate active commercial shipping activities consistent with business operations.

The pattern of repeated food deliveries to consistent addresses in both Moscow and Minsk suggests Holas maintains regular living arrangements in both cities, spending considerable time at each location.

Infrastructure Evolution

DSLRoot and its operator maintain an extensive internet footprint spanning multiple business verticals. Their portfolio includes various residential proxy brands, virtual credit card (VCC) services, and company formation businesses such as incorptoday[.]com, which correlates with the previously identified email address incorptoday[@]gmail.com.

This section focuses specifically on DSLRoot's core infrastructure evolution and hosting arrangements over time.

Ecatel (a.k.a. IP Volume, 2012-2022)

From 2012 through August 2022, DSLRoot was hosted on the IP address 93.174.90[.]66, which belongs to AS 202425 (IP Volume)-formerly associated with Ecatel, a notorious bulletproof hosting provider. After Ecatel’s dissolution due to law enforcement activity, its infrastructure remerged under various successor brands, including IP Volume, Novogara and Quasi Network Ltd.

During this time, at least four other brands were hosted under the DSLRoot umbrella connected to the above-mentioned IP address:

• residential-ip[.]com

• 4groot[.]com

• proxyrental[.]net

• proxysource[.]net

Hivelocity (2019-Present)

DSLRoot subsequently migrated to infrastructure on AS40244 (Turnkey Internet LLC, operating as Hivelocity), utilising IP address 208.85.1[.]164, assessed to be a rented dedicated server. This server has hosted DSLRoot's additional brands since 2019, with the primary DSLRoot dashboard migrating to this infrastructure in 2023.

The IP address 208.85.1[.]164 also hosts additional services assessed to be DSLRoot-affiliated, including instantvirtualcreditcards[.]com, a Bitcoin-exclusive VCC service previously hosted at IP Volume on 93.174.90[.]64, and regacard[.]com, which is assessed to be related to the VCC service.

The Network

DSLRoot operates a distributed residential proxy network utilising ADSL connections across multiple U.S. states. The service provides clients with direct access to residential IP addresses through SOCKS5 proxy connections, with the majority of proxy endpoints operating on port 3129 without authentication.

Client

DSLRoot provides clients with custom browser management software. The client software is programmed in Delphi and is built on a per-user basis, embedding the DSLRoot user ID. For this reason, we cannot provide a SHA-256 hash for operational security concerns.

The client software operates through a standardised process designed to simplify proxy usage for end users:

1. The software establishes a local SOCKS5 server on 127.0.0.1:3129, which back-connects to the chosen public proxy IP

2. The software spawns a preconfigured browser instance (Edge, Chrome, or Firefox) with embedded proxy settings

3. All browser traffic is automatically routed through the local SOCKS5 server, which forwards connections to the selected DSLRoot residential endpoint

For Chromium-based browsers, DSLRoot implements specific command-line flags to use proxy functionality and disable features:

The DNS configuration flags appear designed to prevent DNS leaks that could expose users' real locations through bypassing the proxy infrastructure.

Hardware Devices

Infrawatch did not manage to obtain one of the physical devices, however, the physical setup on the public internet forum was described by the user in a post:

"It’s really just two laptops hardwired into a modem, which then goes to a dsl port in the wall. When I open the computer, it looks like the have some sort of custom application that runs and spawns several cmd prompts. All I can infer from what I see in them is they are making connections"

Infrawatch successfully acquired a sample of DSLRoot's proxy server software with SHA-256 hash: 042a8fa307e585952ada30070a2aa5606a9a8fbdf7c9f15d50753fcf33736bc9. Static analysis revealed several key characteristics about DSLRoot's residential infrastructure operations. Using the information gained from reverse-engineering the software, we were able to replicate a likely setup that can be observed below in Figure 3:

Figure 3 - Likely Setup Inferred From Software

Technical Overview

The software is designed to run on Windows systems and appears to be the control software installed on laptops within DSLRoot's distributed network. Written in Delphi and internally named DSLPylon the binary was highly likely compiled on a Russian-language configured machine, evidenced by PE resource property RUSSIAN.

Initial Execution and Communication

Upon execution, DSLPylon contacts DSLRoot's management server at http[:]//internal.to.proxysource[.]net/available.txt to verify connectivity. After successful contact, it establishes both SOCKS5 and HTTP proxy servers without authentication on hardcoded ports (primarily 3129 and 110), then registers with the management infrastructure by transmitting:

• Hardcoded ADSL UUID

• Local time zone information

• ADSL connection type (internal ID)

• Available system memory

• Internal version identifier

Router and Modem Control Mechanisms

Analysis of DSLPylon's functionality revealed capabilities to remotely control residential networking equipment across multiple vendor brands. The software employs vendor-specific exploits and hardcoded administrative credentials, suggesting DSLRoot pre-configures equipment before deployment.

Additionally, DSLPylon performs network enumeration to identify supported modems on the network, potentially expanding targeting capabilities beyond the primary internet connection.

ARRIS/Motorola Modems: DSLPylon (knowingly, or, unknowingly) exploits a documented CSRF vulnerability in ARRIS Surfboard modems to force reboots and configuration changes without authentication.

Belkin Equipment: The software includes SOAP client functionality to communicate with Belkin modems using UPnP commands:

<?xml version="1.0" encoding="utf-8"?><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">  <s:Body>    <u:SetBinaryState xmlns:u="urn:Belkin:service:basicevent:1">      <BinaryState>1</BinaryState>    </u:SetBinaryState>  </s:Body></s:Envelope>

D-Link Modems: Direct HTTP requests to diagnostic interfaces force system restarts:

192.168.1.1/diagnostics.cgi?hd_syslog=1&todo=res

Generic/OEM Firmware: For ASUS and other brands sharing common OEM firmware:

192.168.100.1/reset.htm?&reset_modem=Restart%20C

Mobile Network Integration

DSLPylon includes Android Debug Bridge (ADB) integration for controlling connected Android devices, aligning with DSLRoot's additional 4G proxy offerings on their website. Upon detecting connected Android devices, the software executes commands to manipulate cellular connectivity:

su -c service call connectivity 33 i32 1
su -c settings put global airplane_mode_on 1
su -c am broadcast -a android.intent.action.AIRPLANE_MODE --ez state true

IP Address Rotation

DSLPylon forces IP address rotation by using standard ISP DHCP lease management behavior. When residential modems reboot, or forced to reboot in this case, they lose their current DHCP lease and must renegotiate with the ISP's DHCP server during the boot sequence.

Default rotation interval appears set to 30 minutes. Within the binary, the following fields are configured by the management server on this timeframe:

• SchAvalFrom and SchAvalTo define operational windows for IP rotation

• SchIdleTime specifies minimum idle duration before triggering rotation

Most residential ISPs maintain large pools of dynamic IP addresses and employ load balancing algorithms that favor distributing addresses across available ranges. When a modem sends a DHCP DISCOVER packet after reboot, the ISP's DHCP server typically assigns an available address from the pool rather than reserving the previous lease. This behavior is particularly common with cable and DSL providers who manage tens of thousands of residential customers within regional service areas.

Hardware Over-Provisioning Considerations

The dual-laptop configuration described by the user appears over-provisioned for basic DHCP-based IP rotation and SOCKS5 proxy services, which could be efficiently handled by single-board computers such as Raspberry Pi devices. Given the operators' assessed involvement in multiple grey-area internet marketing activities, purpose of excess capacity remains unclear.

Assessment

Infrawatch assesses with high confidence that DSLRoot operates a distributed residential proxy network across U.S. infrastructure, using hardware deployed in at least 20 states. The network is managed by a Belarusian national with documented residential presence in Minsk and Moscow, which is a geographic observation relevant to understanding the operator’s locations relative to deployed devices in the U.S.

Indicators of Compromise

Infrawatch’s research provides a window into the scale and depth of our monitoring, covering up to 140 million IP addresses daily across residential proxy, malware, and phishing networks. For researchers and security teams seeking real actionable intelligence, we’ve included the DSLRoot IP addresses below.

For continuous, real-time intelligence on residential proxy networks like DSLRoot, we urge you to sign up to our BETA before it closes.

174.21.141[.]184
174.21.142[.]68
174.21.69[.]216
174.21.77[.]44
174.21.93[.]136
174.24.85[.]141
174.24.93[.]125
174.27.15[.]121
174.27.172[.]22
174.27.184[.]26
174.27.185[.]147
174.27.2[.]170
174.27.21[.]3
174.27.22[.]234
174.27.6[.]115
174.27.68[.]63
174.27.7[.]237
174.27.93[.]125
174.27.93[.]126
184.99.16[.]19
184.99.17[.]136
184.99.24[.]110
184.99.30[.]207
184.99.31[.]87
184.99.38[.]143
199.16.55[.]252
50.126.136[.]30
63.153.130[.]10
63.153.136[.]245
63.153.141[.]231
63.153.155[.]145
63.153.159[.]36
63.153.176[.]21
63.153.176[.]7
63.155.123[.]193
63.155.123[.]194
63.155.32[.]13
63.155.38[.]5
63.155.45[.]252
63.155.46[.]252
63.155.50[.]20
63.155.51[.]104
63.155.55[.]56
63.155.60[.]236
63.155.63[.]193
63.227.244[.]12
65.101.169[.]225
65.128.42[.]184
65.128.42[.]185
67.2.165[.]121
67.2.192[.]114
67.2.213[.]117
67.2.217[.]74
67.2.221[.]186
67.2.248[.]109
67.2.248[.]148
67.42.78[.]217
70.59.195[.]250
70.59.205[.]232
71.212.151[.]54
71.212.157[.]54
75.162.12[.]7
75.162.24[.]117
75.162.3[.]165
75.162.4[.]210
75.162.61[.]0
75.162.61[.]135
75.162.61[.]34
75.162.61[.]45
75.162.61[.]66
75.162.61[.]7
75.162.61[.]72
75.162.61[.]93
75.162.61[.]99
75.168.114[.]23
75.168.114[.]231
75.168.115[.]198
75.168.115[.]230
75.168.116[.]30
75.168.116[.]48
75.168.128[.]249
75.168.143[.]54
75.168.148[.]253
75.168.150[.]247
75.168.152[.]142
75.168.154[.]228
75.168.156[.]46
75.168.82[.]162
174.21.130[.]228
174.21.135[.]74
174.21.139[.]120
174.21.65[.]156
174.21.67[.]136
174.21.68[.]182
174.24.125[.]142
174.24.125[.]185
174.24.125[.]91
174.24.126[.]156
174.24.69[.]61
174.24.71[.]223
174.24.75[.]254
174.24.81[.]236
174.27.164[.]234
174.27.166[.]40
174.27.169[.]221
174.27.174[.]36
174.27.175[.]118
174.27.23[.]138
174.27.27[.]153
174.27.8[.]191
174.27.84[.]225
184.99.31[.]135
184.99.36[.]76
184.99.75[.]122
184.99.75[.]205
184.99.75[.]7
184.99.76[.]225
184.99.76[.]29
63.153.130[.]143
63.153.138[.]236
63.153.142[.]130
63.153.143[.]146
63.153.145[.]156
63.153.165[.]108
63.153.165[.]79
63.155.36[.]199
63.155.47[.]207
63.155.47[.]23
63.155.52[.]20
63.155.55[.]243
63.155.96[.]237
63.155.96[.]240
63.155.96[.]243
63.155.96[.]245
65.128.43[.]182
67.2.176[.]236
67.2.187[.]148
67.2.189[.]159
67.2.242[.]204
67.2.242[.]214
70.59.205[.]36
71.212.33[.]239
75.161.249[.]194
75.162.13[.]166
75.162.21[.]24
75.162.23[.]82
75.162.39[.]103
75.162.39[.]106
75.162.39[.]109
75.162.39[.]111
75.162.39[.]119
75.162.39[.]42
75.162.39[.]49
75.162.39[.]51
75.162.39[.]63
75.162.39[.]96
75.162.7[.]48
75.168.133[.]228
75.168.142[.]195
75.168.144[.]123
75.168.153[.]35
75.168.65[.]203
75.168.86[.]191
75.168.86[.]247
75.168.87[.]28
75.168.87[.]3
75.168.87[.]35
75.168.87[.]61
75.168.87[.]70
75.168.87[.]71