Summary

On 30 June 2026, WAYSCloud stopped a coordinated registration campaign targeting meil, our Nordic email and collaboration platform. No existing accounts were compromised, no customer email was accessed and no outbound abuse occurred.

What made the campaign interesting was not its immediate impact, but how identity, verification and network geography were separated across three countries. The pattern illustrates a broader security problem: attackers can route malicious activity through ordinary household connections, borrowing the reputation of routers and connected devices that may belong to people with no knowledge of the attack.


For years, we have pictured cyberattacks as something that comes from somewhere else: a server in a foreign data centre, a suspicious IP address or a hosting provider with a bad reputation. That mental model is becoming outdated.

On 30 June 2026, we detected and stopped a coordinated registration campaign targeting meil, our Nordic email and collaboration platform.

We found no evidence that existing user accounts were compromised, no evidence that customer email contents were accessed and no evidence of outbound email abuse. The accounts involved were suspended and their active sessions revoked before they could be used to send email.

The attack itself was not the interesting part. The method was.

Some client-side telemetry pointed towards Russia. SMS verification relied on disposable Ukrainian numbers. The traffic that actually reached our systems came through IP addresses assigned to ordinary German consumer broadband networks, with no prior reputation for abuse.

The accounts were created, accessed briefly and then left dormant. One plausible explanation is account seasoning: allowing accounts to appear older and more trustworthy before they are eventually used for spam, fraud or other forms of abuse.

Each observation said very little on its own. Together, they revealed a much more deliberate pattern.

Three countries. One campaign.

So where did the activity actually come from: Russia, Ukraine or Germany? Technically, all three observations matter. From an attribution perspective, none of them answers the question.

A German IP address does not make the attacker German. A Ukrainian telephone number does not make the operation Ukrainian. Client telemetry pointing towards Russia is not, by itself, proof of a Russian actor.

That distinction matters. Modern attackers can separate identity, infrastructure and geography across several layers. The person controlling an operation may be in one country, use verification infrastructure in another and route the final connection through an apparently ordinary consumer network somewhere else.

The camouflage is not separate from the attack. It is part of the attack.

Attackers increasingly borrow our reputation

Traditional security systems are reasonably good at recognising known data centres, hosting providers and networks with a history of abuse. Residential traffic looks different.

It comes from the same broadband providers used by ordinary households. The IP address may never previously have been associated with malicious activity. To a defender, the request may look like one more family connecting to the internet.

This is what makes residential proxy networks so effective. Instead of relying only on suspicious cloud infrastructure, an attacker can route traffic through IP addresses assigned by internet service providers to homes and small businesses. The FBI describes residential proxies as a way for criminals to conceal their true identities and locations by routing activity through consumer and small-business networks.

They borrow the reputation of ordinary connections.

Our broadband connections.

Our routers.

Our streaming boxes, digital picture frames, smartphones and other connected devices.

A device does not need to contain valuable information to be useful to an attacker. It only needs to be online, controllable and capable of relaying traffic. That changes how we need to think about IoT security.

This is no longer a theoretical problem

In January 2026, Google announced that it had disrupted IPIDEA, which it described as one of the world’s largest residential proxy networks.

According to Google Threat Intelligence Group, the operation reduced the proxy network’s available pool of devices by millions. Google also said it had observed more than 550 tracked threat groups using IPIDEA exit nodes during a single seven-day period, including actors associated with espionage, cybercrime and information operations.

Two months later, the US Department of Justice announced the disruption of another residential proxy service, SocksEscort.

According to court documents summarised by the Justice Department, the service infected home and small-business routers with malware and sold access to the resulting connections. Since 2020, it had offered access to approximately 369,000 different IP addresses. As of February 2026, around 8,000 infected routers were still listed as available to customers.

The routers belonged to ordinary people and businesses. The activity routed through them did not.

What is the real price of a cheap connected device?

When we discuss insecure consumer technology, the conversation usually focuses on privacy.

Can the camera watch us?

Can the microphone listen to us?

Can the manufacturer collect more information than we expect?

Those are important questions. But they are not the only ones.

The real cost of an outdated router, an unsupported streaming box or a poorly secured surveillance camera may not be paid by the person who owns it. It may be paid by an entirely different organisation whose systems are attacked through that household’s internet connection.

That does not mean every inexpensive connected device is compromised. It also does not mean we can conclude that the German broadband connections observed in our case necessarily belonged to hacked households. The endpoints could have involved compromised devices, commercial proxyware, knowingly shared bandwidth, malware or other intermediaries.

The evidence shows the route taken by the traffic. It does not, by itself, tell us how control of each endpoint was obtained. That uncertainty is part of the security problem.

IP reputation is still useful. It is no longer sufficient.

IP addresses remain an important security signal. Blocking known malicious infrastructure still prevents a great deal of abuse. But IP reputation can no longer carry the decision alone.

When malicious activity is distributed across large numbers of apparently ordinary connections, defenders need to correlate several weaker signals:

  • identity and verification patterns
  • device and browser behaviour
  • timing and interaction sequences
  • account lifecycle
  • changes in infrastructure
  • similarities across groups of accounts
  • relationships between events that appear unrelated in isolation

The question is no longer simply whether an IP address has a bad reputation. The more important question is whether the complete sequence of events makes sense for a legitimate user.

In our case, the individual signals were weak. A German consumer IP address was not suspicious by itself, and neither was a Ukrainian telephone number or a particular client-side observation. The pattern became visible only when the events were viewed together.

Modern attacks are not becoming invisible. They are becoming better at looking normal.

Connected devices are part of Europe’s digital resilience

Consumers cannot solve this alone. We cannot reasonably expect ordinary families to inspect network traffic from a television box, determine whether a digital picture frame is communicating with unknown infrastructure or know how long a low-cost router will continue receiving security updates.

Responsibility is distributed.

Manufacturers need to provide security updates for connected products over a meaningful lifetime.

Internet service providers need better ways to identify abnormal traffic emerging from consumer networks without turning ordinary broadband connections into instruments of indiscriminate surveillance.

Organisations need to stop treating residential traffic as inherently trustworthy.

Regulators need to recognise that insecure connected products are no longer only a privacy or consumer-protection issue. They have become part of Europe’s digital security infrastructure.

The direction is reflected in the EU’s Cyber Resilience Act, which introduces cybersecurity requirements covering the design, development and maintenance of products with digital elements, as well as manufacturers’ handling of vulnerabilities throughout the product lifecycle. Its reporting obligations begin applying in September 2026, while the main obligations apply from December 2027.

Regulation will not remove the problem. But it establishes an important principle: the security responsibility of a connected product does not end when the device leaves the shop. The security of a device in one person’s living room can affect the security of a company, public institution or digital service in another country.

We have long treated smart devices as potential victims.

It is time to start treating compromised devices as potential ammunition.

The next attack against your organisation may not look as though it came from a hostile data centre. It may look like it came from an ordinary family home.

Not because your neighbour is attacking you.

But because someone else is using their internet connection.

About the incident

A public account of the registration campaign, based on what WAYSCloud knew at an earlier stage of the investigation, is available in the WAYSCloud Trust Center.

Relevant authorities were notified before publication.

Sources