{
	"id": "9d06da38-5a9f-4629-b63c-cf7ac5a621f7",
	"created_at": "2026-04-06T00:06:13.410402Z",
	"updated_at": "2026-04-10T03:22:09.12332Z",
	"deleted_at": null,
	"sha1_hash": "20767af628bcc604df37855fc6a5e97a305e1a3c",
	"title": "IPCola: A Tangled Mess",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4303189,
	"plain_text": "IPCola: A Tangled Mess\r\nBy Synthient Research\r\nPublished: 2025-12-02 · Archived: 2026-04-05 13:48:58 UTC\r\nIntroduction\r\nOn September 4th 2023, the user \"ipmakers\" posted a thread on the Proxies for Sale section of BlackHatWorld.\r\nThis thread promoted the launch of ipcola[.]com, a new proxy service claiming to have millions of active IPs.\r\nFig 1. BlackhatWorld thread promoting IPCola\r\nWith most threads on the platform being made by resellers, this thread would stand out with an interesting\r\nmessage:\r\n\"We do not provide free trial asIPColapoccess grand new proxies generated from worldwide massive\r\nIoT, Desktop and Mobile devices.\"\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 1 of 13\n\nWhich raises the question: \"How exactly are these IP addresses sourced?\"\r\nInvestigating IPCola\r\nIPCola is a non-KYC proxy provider, allowing anyone to sign up on the platform, deposit crypto, and already start\r\nusing the proxies without restriction.\r\nFig 2. IPCola dashboard and the crypto only topup system.\r\nLike most platforms, IPCola allows users to purchase residential, datacenter, and ISP proxies, each with its own\r\ndrawbacks and advantages.\r\nResidential Rotating - Used by clients that need a vast pool of IPs, and when IP quality matters. Use cases\r\ninclude credential stuffing, large-scale account registration, and web scraping.\r\nISP Proxies - Purchased through IP brokers such as IPXO or LogicWeb where the upstream is a residential\r\nnetwork. Typically used for social media or scalper bots that require a static IP address.\r\nDatacenter - Routed through datacenter IPs. Used when IP quality is typically unimportant and when bandwidth\r\nis heavy.\r\nIPCola's proxy gateway is located at proxy[.]hideiqxshlgvjk[.]com:5050 , which resolves to\r\n43[.]198[.]58[.]153 .\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 2 of 13\n\nFig 3. nslookup results for hideiqxshlgvjk proxy gateway\r\nUsing Virustotal to perform a reverse DNS lookup for 43[.]198[.]58[.]153 we see several domains that stand\r\nout. In particular: gtxvdqvuweqs[.]com .\r\nFig 4. Host 43[.]198[.]58[.]153 and its relations\r\nThe domain gtxvdqvuweqs[.]com points to 16[.]162[.]201[.]176 , with numerous domains also pointing to the\r\nhost. Here we can see the domain gaganode[.]com also referencing it.\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 3 of 13\n\nFig 5. Pivoting on gtxvdqvuweqs[.]com\r\nLooking at both platforms, we can see a nearly identical UI, further cementing the intertwined relationship.\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 4 of 13\n\nFig 6. A strikingly familiar UI\r\nGaganode: A Not So Cute Duck\r\nGaganode is a decentralized bandwidth monetization service that enables both users and publishers to earn crypto\r\nfor their bandwidth or monetize other people's bandwidth. Bandwidth acquisition apps are not uncommon within\r\nthe proxy world, with IPIDEA owning PacketShare, IPRoyal owning Pawns and DataImpulse owning\r\nTraffMonetizer to name a few.\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 5 of 13\n\nFig 7. Built on “Trust and Love”\r\nOnce a publisher has signed up on Gaganode they are able to select their platform of choice and configure their\r\napplication to begin routing user traffic through Gaganode. Users have the option to run the standalone application\r\nor bundle an SDK directly into their application with Gaganode supporting most operating systems and\r\narchitecture formats.\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 6 of 13\n\nFig 8. An interesting note about installing on low level IOT devices such as routers.\r\nPublishers are able to observe connected “nodes” through the dashboard with it providing information regarding\r\nthe source and quality of the bandwidth. Gaganode administrators are able to see this same information in addition\r\nto being able to issue remote commands to connected nodes. A feature more closely resembling a botnet than a\r\ntraditional proxy SDK.\r\nFig 9. Administrator Node View\r\nGaganode SDK\r\nOn startup, the Gaganode Android SDK checks api[.]package[.]coreservice[.]io:10443 to verify the\r\ninstalled version is up to date.\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 7 of 13\n\nFig 10. Configuration check determining if out of date.\r\nThe SDK connects over port 5060 to gtxvdqvuweqs[.]com using a custom wire format for communication.\r\nGaganode will request a list of relay servers by sending the MSG_TYPE_NODE_TO_SERVER_ENDPOINT_REQ (100020)\r\nmessage. Subsequent messages are encrypted via an XOR operation using the encrypt_key derived from the initial\r\nhandshake from MSG_TYPE_NODE_TO_SERVER_GET_SEC_KEY (10040).\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 8 of 13\n\nFig 11. Custom Wire format with an additional layer of message encryption\r\nFrom our investigation we observed Gaganode using the following relay servers, with connections being assigned\r\nto random high-number ports to allow for load balancing.\r\n18[.]167[.]173[.]120\r\n43[.]198[.]154[.]133\r\n95[.]40[.]49[.]100\r\nProxied requests are received on port 8080 from relay servers with the client responsible for issuing these requests\r\nto the target and returning the response back.\r\nGaganode’s SDK implements several dozen commands with the most notable being:\r\nFig 12. Notable Gaganode Commands\r\nOf these, SEC_MSG_TYPE_SERVER_TO_NODE_REMOTE_CMD_REQ grants Gaganode remote code execution (RCE) on any\r\ndevice running the SDK. This capability poses a significant threat, aligning Gaganode more closely with malware\r\nthan standard commercial SDKs.\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 9 of 13\n\nFig 13. Remote code functionality support.\r\nA System Fueled By Any Means\r\nGiven Gaganode's decentralized nature it sees a wide range of usage, with publishers pushing it into any\r\napplication you can possibly think of. One example is the Rockchip TV box, a Chinese-operated TV box that\r\ncomes pre-loaded with Gaganode, EarnFM, and the Popa botnet. Because these boxes run for extended periods,\r\nthe financial incentive is significantly higher than other bandwidth-monetization approaches.\r\nFig 14. Rockchip TV Box listing\r\nMost clients of proxy providers prefer long-lasting sessions, using this functionality for account management or\r\nwhen frequent IP changes pose a significant risk of detection.\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 10 of 13\n\nGaganode’s Windows SDK sees similar usage, appearing in older versions of free password manager applications\r\nor cracked software sites.\r\nFig 15. DualSafe a “free” password manager\r\nThese apps have a lower barrier of entry allowing for more installations even if the sessions are shorter.\r\nWho's Behind IPCola?\r\nRe-examining 16[.]162[.]201[.]176 we see another domain ist-stc.instaip.net pointing to it. With InstaIP being\r\na Chinese proxy provider registered one month prior to IPCola.\r\nFig 16. InstaIP Proxy Platform\r\nInstaIP only allows Chinese payment processors, restricting buyers to that region. Conversely, IPCola processes\r\npayments from a range of cryptocurrencies, suggesting it exists to sell to a specific audience without tarnishing the\r\noriginal brand. This hypothesis is further supported by the lack of KYC and its presence on Grayhat forums.\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 11 of 13\n\nFig 17. A thread promoting IPCola on AdvertCn, a Chinese forum akin to BlackHatWorld.\r\nAnother domain we see pointing here is proxy[.]nc-idc[.]net, with nc-idc being a status page belonging to\r\nNuoChen Technology. A Chinese hosting company offering residential transit for scalping, social media, and push\r\ntraffic. The Synthient Research Team believes with high confidence that NuoChen technology operates both proxy\r\nservices to monetize existing infrastructure.\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 12 of 13\n\nFig 18. NuoChen Technology Page. Selling Residential transit for scalping, social media, and push\r\ntraffic.\r\nConclusion\r\nSynthient observes around 1.6 million unique IPs for IPCola in a week, with a significant portion originating from\r\nIndia, Brazil, and South America. The overlap in IP addresses between IPCola and other proxy providers shows\r\nhow multiple SDKs will often be bundled into a single application.\r\nFig 19. IPCola’s Geographic Distribution of Nodes\r\nIPCola perfectly illustrates the convoluted relationship between proxy providers and SDKs, highlighting the\r\nlengths to which proxy services will go to acquire unique IP pools.\r\nIndicators of Compromise\r\nFor a full list of indicators please refer here.\r\nSource: https://synthient.com/blog/ipcola-a-tangled-mess\r\nhttps://synthient.com/blog/ipcola-a-tangled-mess\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://synthient.com/blog/ipcola-a-tangled-mess"
	],
	"report_names": [
		"ipcola-a-tangled-mess"
	],
	"threat_actors": [],
	"ts_created_at": 1775433973,
	"ts_updated_at": 1775791329,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/20767af628bcc604df37855fc6a5e97a305e1a3c.pdf",
		"text": "https://archive.orkl.eu/20767af628bcc604df37855fc6a5e97a305e1a3c.txt",
		"img": "https://archive.orkl.eu/20767af628bcc604df37855fc6a5e97a305e1a3c.jpg"
	}
}