A global investigation has uncovered an industrial-scale mobile proxy ecosystem powered by a shared control platform called ProxySmart, with 87 exposed control panels spanning 17 countries and at least 94 physical phone-farm locations enabling large-scale fraud, bot activity, and identity evasion at commercial scale.
In February 2026, infrastructure intelligence firm Infrawatch investigated self-proclaimed “SIM Farm as a Service” offerings and identified the physical backbone behind them: racks of real smartphones and 4G/5G modems hardwired into carrier networks.
The investigation revealed that a single Belarus-based software platform, ProxySmart, serves as the shared control plane enabling an overwhelming majority of the discovered farms.
Infrawatch identified 87 exposed instances of the ProxySmart control panel across the public internet, linked to at least 24 commercial proxy providers and 35 cellular carriers worldwide.
The observed footprint spans at least 94 physical farm locations across North America, Europe, and South America, with a concentrated presence across 19 U.S. states from California and Texas to Maine and Delaware.
SIM Farm-as-a-Service Network
ProxySmart is marketed as a turnkey, end-to-end stack for operating and monetizing physical SIM farm infrastructure. Sold on a per-SIM pricing model, the platform handles device management, automated IP rotation, customer provisioning, plan enforcement, and anti-bot countermeasures, offering a fully productized SIM Farm-as-a-Service.
SIM Farm (Source: Infrawatch)
The platform supports both physical smartphones and USB 4G/5G modems, with phone-based farms enrolling devices via an unsigned Android APK. Critically, ProxySmart includes OS fingerprint spoofing, allowing farm operators to simulate TCP/IP stack signatures from macOS, iOS, Windows, or Android, undermining fingerprint-based detection used by anti-fraud systems.
SIM Farm Deployments (Source: Infrawatch)
The platform also supports tunneling protocols, including OpenVPN, SOCKS5, VLESS, and HTTP proxies, with VLESS being commonly used for censorship circumvention in Russia, China, and Iran.
Mobile proxies are particularly attractive to threat actors because they operate behind carrier-grade NAT (CGNAT), meaning a single IP address can be shared by multiple legitimate users.
This architecture makes IP-based blocking largely ineffective. Combined with rapid IP rotation achieved simply by toggling airplane mode for three seconds to force carrier reassignment, these farms can cycle through addresses at will, complicating both detection and enforcement.
Carrier access advertised through ProxySmart-backed farms spans major global networks, including AT&T, Verizon, T-Mobile, Vodafone, EE, O2, Deutsche Telekom, Telstra, Rogers, and over 30 others across the U.S., Europe, Australia, and Latin America.
SIM farms enable a wide range of illicit activities at an industrial scale, including:
SMS-based OTP bypass for account takeover and fraud
Fake account creation and social media manipulation
Botting and automated engagement on major platforms
Geo-restriction circumvention, including bypassing Russian state censorship
Payment fraud via interception of financial verification codes
Several ProxySmart-backed providers were found to be marketing directly to Russian-speaking audiences to access U.S.-located mobile connectivity and geo-restricted platforms, such as advanced AI models.
Meaningful Know Your Customer (KYC) verification was uncommon across reviewed providers, with some explicitly advertising zero KYC requirements, effectively making global carrier access available to any buyer with a payment method.
The Infrawatch findings follow a series of major law enforcement actions against SIM farm infrastructure. In September 2025, the U.S. Secret Service dismantled a telecommunications threat in New York involving more than 300 co-located SIM servers and 100,000 SIM cards, an operation large enough that officials warned it could have disrupted the entire NYC cellular network.
In October 2025, a Europol-supported operation in Latvia targeted a cybercrime-as-a-service network relying on SIM-box infrastructure, resulting in seven arrests and the seizure of 1,200 SIM-box devices and 40,000 active SIM cards.
The 17-country footprint identified by Infrawatch includes the United States, Canada, the United Kingdom, Germany, Spain, Portugal, Ukraine, Latvia, France, Romania, Brazil, Ireland, the Netherlands, Australia, Italy, Poland, and Georgia.
The U.S. maintains the highest concentration of deployments, predominantly in major metropolitan areas with strong 4G/5G coverage. In at least one identified U.S. case, an operator inadvertently exposed EXIF metadata in published farm images, allowing Infrawatch to geolocate the operation to New York.
Infrawatch assesses that this ecosystem materially lowers the technical and operational barrier to running mobile proxy infrastructure, with limited gatekeeping imposed by ProxySmart on who can operate the platform.
The combination of carrier-grade NAT, rapid IP rotation, multi-carrier availability, and OS fingerprint spoofing collectively reduces the effectiveness of IP-centric detection controls, posing a persistent and scalable challenge to platform integrity, fraud prevention, and telecom security teams worldwide.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Massive SIM Farm-as-a-Service Network Exposes 87 Control Panels Across 17 Countries appeared first on Cyber Security News.
