The cybersecurity community on Reddit<\/strong> responded in disbelief this month when a self-described Air National Guard member with top secret security clearance began questioning the arrangement they\u2019d made with company called DSLRoot<\/strong>, which was paying $250 a month to plug a pair of laptops into the Redditor\u2019s high-speed Internet connection in the United States. This post examines the history and provenance of DSLRoot, one of the oldest \u201cresidential proxy\u201d networks with origins in Russia and Eastern Europe.<\/p>\n The query about DSLRoot came from a Reddit user \u201cSacapoopie<\/strong>,\u201d who did not respond to questions. This user has since deleted the original question from their post, although some of their replies to other Reddit cybersecurity enthusiasts remain in the thread<\/a>. The original post was indexed here by archive.is<\/a>, and it began with a question:<\/p>\n \u201cI have been getting paid 250$ a month by a residential IP network provider named DSL root to host devices in my home,\u201d Sacapoopie wrote. \u201cThey are on a separate network than what we use for personal use. They have dedicated DSL connections (one per host) to the ISP that provides the DSL coverage. My family used Starlink. Is this stupid for me to do? They just sit there and I get paid for it. The company pays the internet bill too.\u201d<\/p>\n Many Redditors said they assumed Sacapoopie\u2019s post was a joke, and that nobody with a cybersecurity background and top-secret (TS\/SCI) clearance would agree to let some shady residential proxy company introduce hardware into their network. Other readers pointed to a slew of posts from Sacapoopie in the Cybersecurity subreddit over the past two years about their work on cybersecurity for the Air National Guard.<\/p>\n When pressed for more details by fellow Redditors, Sacapoopie described the equipment supplied by DSLRoot as \u201cjust two laptops hardwired into a modem, which then goes to a dsl port in the wall.\u201d<\/p>\n \u201cWhen I open the computer, it looks like [they] have some sort of custom application that runs and spawns several cmd prompts,\u201d the Redditor explained. \u201cAll I can infer from what I see in them is they are making connections.\u201d<\/p>\n When asked how they became acquainted with DSLRoot, Sacapoopie told another user they discovered the company and reached out after viewing an advertisement on a social media platform.<\/p>\n \u201cThis was probably 5-6 years ago,\u201d Sacapoopie wrote. \u201cSince then I just communicate with a technician from that company and I help trouble shoot connectivity issues when they arise.\u201d<\/p>\n Reached for comment, DSLRoot said its brand has been unfairly maligned thanks to that Reddit discussion. The unsigned email said DSLRoot is fully transparent about its goals and operations, adding that it operates under full consent from its \u201cregional agents,\u201d the company\u2019s term for U.S. residents like Sacapoopie.<\/p>\n \u201cAs although we support honest journalism, we\u2019re against of all kinds of \u2018low rank\/misleading Yellow Journalism\u2019 done for the sake of cheap hype,\u201d DSLRoot wrote in reply. \u201cIt\u2019s obvious to us that whoever is doing this, is either lacking a proper understanding of the subject or doing it intentionally to gain exposure by misleading those who lack proper understanding,\u201d DSLRoot wrote in answer to questions about the company\u2019s intentions.<\/p>\n \u201cWe monitor our clients and prohibit any illegal activity associated with our residential proxies,\u201d DSLRoot continued. \u201cWe honestly didn\u2019t know that the guy who made the Reddit post was a military guy. Be it an African-American granny trying to pay her rent or a white kid trying to get through college, as long as they can provide an Internet line or host phones for us \u2014 we\u2019re good.\u201d<\/span><\/p>\n DSLRoot is sold as a residential proxy service on the forum BlackHatWorld<\/strong> under the name DSLRoot and GlobalSolutions<\/strong>. The company is based in the Bahamas and was formed in 2012. The service is advertised to people who are not in the United States but who want to seem like they are. DSLRoot pays people in the United States to run the company\u2019s hardware and software \u2014 including 5G mobile devices \u2014 and in return it rents those IP addresses as dedicated proxies to customers anywhere in the world \u2014 priced at $190 per month for unrestricted access to all locations.<\/p>\n The DSLRoot website.<\/p>\n<\/div>\n The GlobalSolutions account on BlackHatWorld lists a Telegram account and a WhatsApp number in Mexico. DSLRoot\u2019s profile on the marketing agency digitalpoint.com from 2010 shows their previous username on the forum was \u201cIncorptoday<\/strong>.\u201d GlobalSolutions user accounts at bitcointalk[.]org and roclub[.]com include the email clickdesk@instantvirtualcreditcards[.]com<\/strong>.<\/p>\n Passive DNS records from DomainTools.com<\/strong> show instantvirtualcreditcards[.]com shared a host back then \u2014 208.85.1.164 \u2014 with just a handful of domains, including dslroot[.]com, regacard[.]com, 4groot[.]com, residential-ip[.]com, 4gemperor[.]com, ip-teleport[.]com, proxysource[.]net<\/strong> and proxyrental[.]net.<\/p>\n Cyber intelligence firm Intel 471<\/strong> finds GlobalSolutions registered on BlackHatWorld in 2016 using the email address prepaidsolutions@yahoo.com<\/strong>. This user shared that their birthday is March 7, 1984.<\/p>\n Several negative reviews about DSLRoot on the forums noted that the service was operated by a BlackHatWorld user calling himself \u201cUSProxyKing<\/strong>.\u201d Indeed, Intel 471 shows this user told fellow forum members in 2013 to contact him at the Skype username \u201cdslroot.\u201d<\/p>\n USProxyKing on BlackHatWorld, soliciting installations of his adware via torrents and file-sharing sites.<\/p>\n<\/div>\n USProxyKing had a reputation for spamming the forums with ads for his residential proxy service, and he ran a \u201cpay-per-install<\/a>\u201d program where he paid affiliates a small commission each time one of their websites resulted in the installation of his unspecified \u201cadware\u201d programs \u2014 presumably a program that turned host PCs into proxies. On the other end of the business, USProxyKing sold that pay-per-install access to others wishing to distribute questionable software \u2014 at $1 per installation.<\/p>\n Private messages indexed by Intel 471 show USProxyKing also raised money from nearly 20 different BlackHatWorld members who were promised shareholder positions in a new business that would offer robocalling services capable of placing 2,000 calls per minute.<\/p>\n Constella Intelligence<\/strong>, a platform that tracks data exposed in breaches, finds that same IP address GlobalSolutions used to register at BlackHatWorld was also used to create accounts at a handful of sites, including a GlobalSolutions user account at WebHostingTalk <\/strong>that supplied\u00a0the email address incorptoday@gmail.com<\/strong>. Also registered to incorptoday@gmail.com are the domains dslbay[.]com, dslhub[.]net, localsim[.]com, rdslpro[.]com, virtualcards[.]biz\/cc, and virtualvisa[.]cc.<\/p>\n Recall that DSLRoot\u2019s profile on digitalpoint.com was previously named Incorptoday. DomainTools says incorptoday@gmail.com is associated with almost two dozen domains going back to 2008, including incorptoday[.]com<\/strong>, a website that offers to incorporate businesses in several states, including Delaware, Florida and Nevada, for prices ranging from $450 to $550.<\/p>\n As we can see in this archived copy of the site from 2013<\/a>, IncorpToday also offered a premiere service for $750 that would allow the customer\u2019s new company to have a retail checking account, with no questions asked.<\/p>\n Global Solutions is able to provide access to the U.S. banking system by offering customers prepaid cards that can be loaded with a variety of virtual payment instruments that were popular in Russian-speaking countries at the time, including WebMoney. The cards are limited to $500 balances, but non-Westerners can use them to anonymously pay for goods and services at a variety of Western companies. Cardnow[.]ru<\/a>, another domain registered to incorptoday@gmail.com, demonstrates this in action.<\/p>\n A copy of Incorptoday\u2019s website from 2013 offers non-US residents a service to incorporate a business in Florida, Delaware or Nevada, along with a no-questions-asked checking account, for $750.<\/p>\n<\/div>\n The oldest domain (2008) registered to incorptoday@gmail.com is andrei[.]me<\/strong>; another is called andreigolos[.]com<\/strong>. DomainTools says these and other domains registered to that email address include the registrant name Andrei Holas<\/strong>, from Huntsville, Ala.<\/p>\n Public records indicate Andrei Holas has lived with his brother \u2014 Aliaksandr Holas<\/strong> \u2014 at two different addresses in Alabama. Those records state that Andrei Holas\u2019 birthday is in March 1984, and that his brother is slightly younger. The younger brother did not respond to a request for comment.<\/p>\n Andrei Holas maintained an account on the Russian social network Vkontakte<\/strong> under the email address ryzhik777@gmail.com<\/strong>, an address that shows up in numerous records hacked and leaked from Russian government entities over the past few years.<\/p>\n Those records indicate Andrei Holas and his brother are from Belarus and have maintained an address in Moscow for some time (that address is roughly three blocks away from the main headquarters of the Russian FSB, the successor intelligence agency to the KGB). Hacked Russian banking records show Andrei Holas\u2019 birthday is March 7, 1984 \u2014 the same birth date listed by GlobalSolutions on BlackHatWorld.<\/p>\n A 2010 post by ryzhik777@gmail.com<\/a> at the Russian-language forum Ulitka explains that the poster was having trouble getting his B1\/B2 visa to visit his brother in the United States, even though he\u2019d previously been approved for two separate guest visas and a student visa. It remains unclear if one, both, or neither of the Holas brothers still lives in the United States. Andrei explained in 2010 that his brother was an American citizen.<\/p>\n We can all wag our fingers at military personnel who should undoubtedly know better than to install Internet hardware from strangers, but in truth there is an endless supply of U.S. residents who will resell their Internet connection if it means they can make a few bucks out of it. And these days, there are plenty of residential proxy providers who will make it worth your while.<\/p>\n Traditionally, residential proxy networks have been constructed using malicious software that quietly turns infected systems into traffic relays that are then sold in shadowy online forums. Most often, this malware gets bundled with popular cracked software and video files that are uploaded to file-sharing networks and that secretly turn the host device into a traffic relay. In fact, USPRoxyKing bragged that he routinely achieved thousands of installs per week via this method alone.<\/p>\n These days, there a number of residential proxy networks that entice users to monetize their unused bandwidth (inviting you to violate the terms of service of your ISP in the process); others, like DSLRoot, act as a communal VPN, and by using the service you gain access to the connections of other proxies (users) by default, but you also agree to share your connection with others.<\/p>\n Indeed, Intel 471\u2019s archives show the GlobalSolutions and DSLRoot accounts routinely received private messages from forum users who were college students or young people trying to make ends meet. Those messages show that many of DSLRoot\u2019s \u201cregional agents\u201d often sought commissions to refer friends interested in reselling their home Internet connections (DSLRoot would offer to cover the monthly cost of the agent\u2019s home Internet connection).<\/p>\n But in an era when North Korean hackers are relentlessly posing as Western IT workers by paying people to host laptop farms in the United States, letting strangers run laptops, mobile devices or any other hardware on your network seems like an awfully risky move regardless of your station in life. As several Redditors pointed out in Sacapoopie\u2019s thread, an Arizona woman was sentenced in July 2025 to 102 months in prison<\/a> for hosting a laptop farm that helped North Korean hackers secure jobs at more than 300 U.S. companies, including Fortune 500 firms.<\/p>\n Lloyd Davies<\/strong> is the founder of Infrawatch<\/strong>, a London-based security startup that tracks residential proxy networks. Davies said he reverse engineered the software that powers DSLRoot\u2019s proxy service<\/a>, and found it phones home to the aforementioned domain proxysource[.]net, which sells a service that promises to \u201cget your ads live in multiple cities without getting banned, flagged or ghosted\u201d (presumably a reference to CraigsList ads).<\/p>\n Davies said he found the DSLRoot installer had capabilities to remotely control residential networking equipment across multiple vendor brands.<\/p>\n Image: Infrawatch.app.<\/p>\n<\/div>\n \u201cThe software employs vendor-specific exploits and hardcoded administrative credentials, suggesting DSLRoot pre-configures equipment before deployment,\u201d Davies wrote in an analysis published today<\/a>. He said the software performs WiFi network enumeration to identify nearby wireless networks, thereby \u201cpotentially expanding targeting capabilities beyond the primary internet connection.\u201d<\/p>\n It\u2019s unclear exactly when the USProxyKing was usurped from his throne, but DSLRoot and its proxy offerings are not what they used to be. Davies said the entire DSLRoot network now has fewer than 300 nodes nationwide, mostly systems on DSL providers like CenturyLink and Frontier.<\/p>\n On Aug. 17, GlobalSolutions posted to BlackHatWorld saying, \u201cWe\u2019re restructuring our business model by downgrading to \u2018DSL only\u2019 lines (no mobile or cable).\u201d Asked via email about the changes, DSLRoot blamed the decline in his customers on the proliferation of residential proxy services.<\/p>\n \u201cThese days it has become almost impossible to compete in this niche as everyone is selling residential proxies and many companies want you to install a piece of software on your phone or desktop so they can resell your residential IPs on a much larger scale,\u201d DSLRoot explained. \u201cSo-called \u2018legal botnets\u2019 as we see them.\u201d<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/sacapoopiepost.png?resize=748%2C379&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/saca-twolaptops.png?resize=747%2C218&ssl=1\")
<\/p>\nWHAT IS DSLROOT?<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/dslroot.png?resize=748%2C425&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/bhw-usproxyking.png?resize=750%2C336&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/incorptoday-bankaccount.png?resize=750%2C648&ssl=1\")
<\/p>\nWHO IS ANDREI HOLAS?<\/h2>\n
LEGAL BOTNETS<\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/08\/DSLROOT-map.png?resize=749%2C489&ssl=1\")
<\/p>\n