SIM farm software network exposed

A software platform traced to Belarus has been identified as a key enabler of a sprawling SIM-farm ecosystem that investigators say is helping cybercriminal operations run at scale across multiple continents. The platform, known as ProxySmart, was linked to at least 94 SIM-farm locations in 17 countries, with researchers identifying 87 exposed instances of its control panel across 24 proxy providers and 35 mobile carriers.

The findings cast fresh light on how mobile proxy services have evolved from a niche tool into a wider fraud infrastructure. SIM farms typically rely on racks of phones, SIM cards and 4G modems connected to live carrier networks. Those connections can then be rented out as mobile proxies, allowing users to route traffic through residential-looking mobile IP addresses that are harder for websites, platforms and anti-fraud tools to flag. That makes them attractive for fake account creation, ad fraud, spam campaigns, phishing support and attempts to evade bot-detection systems.

Researchers said the network they mapped appears to be heavily concentrated in the United States, where farms were found in 19 states stretching from California and Texas to Maine and Delaware. The wider footprint also extended across North America, Europe and South America, suggesting an increasingly global market for what some in the sector now describe as “SIM-Farm-as-a-Service”.

At the centre of the investigation is software that appears to provide operators with a shared management layer. ProxySmart was described as offering automated IP rotation, remote device management and the ability to manipulate network fingerprints. One of the most striking capabilities identified was operating-system spoofing, which can make traffic emerging from mobile carrier infrastructure appear to come from desktop systems such as Windows rather than handsets. That matters because many anti-fraud systems rely on TCP/IP fingerprinting to judge whether a connection is consistent with a real consumer device.

The implications extend beyond nuisance spam. Industry work published this year has highlighted SIM farms as a growing risk for SMS phishing, one-time-password interception, account takeover and the fraudulent mass registration of online identities. Where such systems are combined with proxy networks, they can give criminal groups a way to scale attacks while appearing to operate through ordinary mobile subscribers. That weakens one of the digital economy’s most widely used trust layers: the phone number.

The commercial logic is straightforward. Mobile IP addresses are often seen by platforms as cleaner and less suspicious than data-centre traffic. Fraud actors can exploit that perception to run social media manipulation, credential abuse, marketplace scams and payment fraud with lower rates of detection. In effect, the physical SIM farm provides the network access, while the control software turns scattered hardware into a remotely managed, monetisable service. That industrialisation is what appears to have alarmed investigators most.

There are already signs that parts of the telecom sector are responding. The research indicates that AT&T in the US and Three in the UK have deployed network-level countermeasures aimed at blocking some operating-system spoofing tied to this infrastructure. Broader industry efforts have also accelerated, with mobile operators and academic researchers working on ways to detect SIM farms by identifying automated behaviour, unusual device patterns and other indicators that distinguish illicit bulk operations from legitimate consumer traffic.

The exposure of ProxySmart also fits a broader enforcement picture. European authorities last year dismantled a major SIM-box and SIM-farm-linked operation that investigators said had supported tens of millions of fake accounts, underlining how telecom-linked fraud infrastructure is merging with mainstream cybercrime. At the same time, authorities in India and elsewhere have been tightening scrutiny of SIM issuance, suspicious bulk activation and SIM-swap abuse as criminal groups search for weak points in mobile identity systems.

For policymakers, telecom operators and online platforms, the case points to a persistent structural problem. Mobile numbers remain central to logins, verification and trust signals across banking, social media, messaging and e-commerce. Yet a growing secondary market has emerged around tools that can mass-produce mobile presence and disguise automation as legitimate traffic. As a result, defences that rely too heavily on SMS verification or assumptions about the integrity of mobile-origin connections are looking increasingly fragile.