ProxySmart Exposed: How One Platform Is Powering an Industrial-Scale SIM Farm Underground Economy

Executive Summary

Threat intelligence firm Infrawatch has published research exposing ProxySmart, a commercially available software platform that has become the operational backbone of a sprawling SIM farm ecosystem spanning more than 90 discrete installations. The findings represent a significant inflection point in the industrialization of mobile fraud infrastructure — moving what was once a fragmented, technically demanding criminal operation into the reach of low-skill threat actors with moderate capital. Security teams responsible for fraud prevention, identity verification systems, and SMS-based authentication pipelines should treat this research as an urgent operational signal, not a background briefing.

The organizations most immediately at risk include financial institutions relying on SMS OTP authentication, telecommunications carriers absorbing artificially generated traffic, digital advertising platforms vulnerable to click fraud and engagement manipulation, and any business using phone number verification as a trust signal in onboarding or account recovery workflows. ProxySmart's architecture effectively commoditizes the hard parts of running a SIM farm — device management, SIM rotation, traffic routing — and packages them into a managed software layer that dramatically lowers the barrier to entry for large-scale mobile fraud operations worldwide.

Technical Analysis

A SIM farm, at its core, is a physical array of mobile devices or dedicated GSM modem hardware — sometimes numbering in the hundreds per installation — each loaded with an active SIM card and connected to a management layer that coordinates their activity. Historically, operating a SIM farm at scale required meaningful technical expertise: writing custom scripts for device coordination, managing SIM card inventories manually, handling carrier detection evasion, and maintaining uptime across heterogeneous hardware. ProxySmart appears to have systematically dismantled each of these friction points.

Based on Infrawatch's findings, ProxySmart functions as a SIM management platform — a software layer that sits above the physical hardware and provides operators with centralized control over SIM identity rotation, proxy traffic routing, and device pool management. The platform's architecture likely employs a client-server model where individual device nodes (running ProxySmart agents) check into a central controller, enabling coordinated tasking across the entire farm. This is architecturally analogous to a botnet C2 structure, except the nodes are physical SIM-equipped devices rather than compromised endpoints.

The proxy functionality is particularly notable. By routing internet traffic through individual SIM cards, each functioning as a residential mobile IP endpoint, ProxySmart-managed farms can generate traffic that appears to originate from legitimate consumer mobile connections across multiple carriers and geographic regions. This makes detection through IP reputation and rate-limiting controls substantially harder. Each SIM card represents a unique MSISDN (mobile subscriber number), a unique IP from carrier NAT pools, and a unique device fingerprint if paired with dedicated hardware — collectively defeating most conventional bot detection heuristics.

The SMS-as-a-service use case is where significant downstream harm propagates. SIM farms powered by platforms like ProxySmart serve as the fulfillment layer for online markets where threat actors purchase phone number verifications for account creation at scale on platforms including major social networks, messaging applications, e-commerce sites, and financial services. The operator runs the infrastructure; the customer simply purchases a verified phone number receive. The economic incentive structure is efficient, scalable, and increasingly professionalized.

Impact Assessment

Telecommunications carriers face direct revenue and network integrity consequences. SIM farms generate artificial A2P (Application-to-Person) SMS traffic and consume carrier resources fraudulently, while SIM cards used in farms are often sourced through fraudulent registration, identity theft, or exploitation of prepaid activation loopholes. Carriers with weak KYC (Know Your Customer) controls during SIM provisioning are effectively subsidizing the input costs of fraud infrastructure.

Identity and authentication systems relying on SMS OTP take perhaps the most acute hit. When phone numbers can be acquired programmatically at volume through ProxySmart-backed services, SMS-based two-factor authentication degrades from a meaningful security control to a friction layer that well-resourced fraud operations can bypass routinely. Account takeover campaigns, synthetic identity fraud, and mass fake account creation all benefit directly from accessible phone number verification infrastructure.

Digital advertising ecosystems represent a third major impact surface. Mobile proxy networks generated by SIM farms are actively used in ad fraud operations — generating fraudulent impressions, clicks, and installs that appear to originate from genuine mobile users. The scale implied by 90+ ProxySmart installations suggests this is not a marginal threat; it represents meaningful contamination of mobile advertising measurement data across the industry.

CypherByte's Perspective

What Infrawatch's research illustrates most starkly is the platformization of fraud infrastructure — a trend that mirrors what has happened in ransomware with RaaS (Ransomware-as-a-Service) models and in DDoS with booter services. When specialized criminal capability gets wrapped in accessible software with a management interface, the threat actor population able to deploy that capability expands dramatically. ProxySmart is, in effect, SIM fraud infrastructure as a managed service. The technical moat that previously kept SIM farming as a niche criminal vertical has been substantially reduced.

This also underscores a fundamental tension in mobile security architecture: the phone number has been over-trusted as an identity primitive. Industry-wide dependence on SMS OTP as both a second factor and a primary identity signal has created a target-rich environment for exactly this type of infrastructure. ProxySmart's commercial viability — evidenced by its apparent growth to 90+ deployments — is itself a market signal that the returns on attacking phone-number-based verification remain extremely high. The security community's response cannot be purely defensive and detection-oriented; it requires a structural reassessment of how phone numbers are used in trust hierarchies.

Indicators and Detection

Defenders should focus detection efforts across several signal categories associated with SIM farm activity:

Network-level indicators: Unusual concentrations of traffic from carrier-grade NAT IP ranges associated with prepaid mobile plans, particularly where user-agent strings suggest mobile browsers but behavioral patterns (timing regularity, navigation depth, session uniformity) are inconsistent with human users. Anomalous ratios of SMS delivery to unique phone numbers within short windows — particularly for OTP flows — warrant investigation.

Authentication flow anomalies: Phone numbers sharing device fingerprints or behavioral cohorts across account creation events. Numbers registered to carriers or regions inconsistent with claimed user geography. High volumes of phone numbers from the same carrier prefix blocks (NPA-NXX clustering in North American contexts) registering accounts within tight time windows.

Proxy detection signals: Mobile IPs exhibiting unusually low latency variance (suggesting the "mobile device" is in a fixed rack environment rather than a carried phone), and traffic from mobile ASNs that disproportionately appears in known datacenter-adjacent network ranges — an artifact of how some SIM farm hardware routes traffic.

Recommendations

For fraud and identity teams: Immediately audit your reliance on SMS OTP as a sole or primary authentication factor. Accelerate migration timelines toward TOTP-based authenticators, passkeys, or hardware token options where feasible. Implement phone number intelligence enrichment (carrier type, line type, porting history, fraud score) at account registration and authentication touchpoints — not purely at onboarding.

For telecommunications security teams: Review SIM provisioning workflows for KYC gaps that enable bulk or fraudulent SIM registration. Implement anomaly detection on SIM activation velocity and SMS traffic pattern analysis at the network level. Engage with industry fraud intelligence sharing groups to obtain emerging indicators tied to ProxySmart-associated infrastructure as Infrawatch's research matures.

For security operations centers: Add SIM farm proxy detection logic to your bot management and web application firewall rulesets. Most commercial bot detection vendors have mobile proxy detection capabilities — validate that your current configuration is actively tuned for carrier NAT and mobile proxy evasion patterns, not just datacenter IP blocking.

For risk and compliance functions: The existence of platforms like ProxySmart should inform your third-party risk posture around any vendor whose trust model depends on phone number uniqueness or SMS deliverability as a fraud signal. Review vendor attestations and request evidence of phone intelligence enrichment in their fraud stacks.

Source credit: This analysis is based on research originally reported by Infosecurity Magazine covering threat intelligence published by Infrawatch. CypherByte's analysis represents independent assessment and commentary based on publicly available information. Original reporting available at Infosecurity Magazine.