A sprawling global network of SIM farms masquerading as commercial mobile proxy infrastructure is drawing growing scrutiny from cybersecurity researchers, raising serious concerns about fraud enablement, evasion services, and the industrialization of abusive automation.

Fresh research published by Infrawatch has pulled back the curtain on what may be one of the most underreported abuse ecosystems supporting cybercrime today: “SIM Farms as a Service.” Their investigation uncovered 87 exposed ProxySmart-powered SIM farm control panels across 17 countries, linked to at least 24 commercial proxy providers, revealing a shared control plane that appears to power a significant portion of the global mobile proxy underground.

The findings point to something much larger than isolated “phone farms.” They reveal a scalable ecosystem blending software, telecom abuse, automation tooling, and anti-detection techniques, one increasingly relevant to fraud defenders, digital identity teams, law enforcement, and enterprise security leaders.

What Are SIM Farms And Why Should Security Teams Care?

At first glance, SIM farms may look like racks of smartphones and USB modems connected to carrier networks.

In practice, they can function as industrial-scale infrastructure for evasion.

These farms route traffic through real 4G/5G carrier connections, giving users access to rotating residential-looking mobile IP addresses, often harder for platforms to block than datacenter proxies.

According to the research, many operators leverage ProxySmart, a turnkey platform that enables:

• Automated IP rotation
• Remote device orchestration
• Carrier switching
• OS fingerprint spoofing
• SMS handling for account verification abuse
• Customer provisioning and proxy resale

In other words: this is not improvised fraud infrastructure anymore, it is productized.

And that changes the threat landscape.

From Proxy Tool to Shared Abuse Ecosystem

What makes the findings particularly significant is the scale.

Researchers identified at least 94 physical phone-farm locations distributed across North America, Europe, South America, and Australia, with a heavy U.S. concentration spanning 19 states.

Carrier access reportedly spans major telecom brands globally, including AT&T, Verizon, Vodafone, Deutsche Telekom, Orange, Telcel, Telstra and others.

That multi-carrier diversity gives operators a powerful evasion advantage:

• Bypassing geolocation controls
• Evading IP reputation systems
• Circumventing anti-bot defenses
• Enabling account creation fraud
• Supporting automation at scale

This helps explain why mobile-origin traffic has become so attractive in abuse ecosystems.

As Infrawatch’s analysis suggests, many providers appear to be using a shared OEM software stack, materially lowering the barrier to entry for operating these networks.

That has implications far beyond fraud.

Why This Matters to Defenders

SIM farms are increasingly associated with abuse operations such as:

• Account farming
• Credential abuse
• Ad fraud
• Fake engagement amplification
• SMS verification bypass
• Bot-driven social media manipulation
• Geo-restricted service evasion
• Fraud against digital identity systems

For defenders relying heavily on IP-based trust decisions, that is a problem.

Carrier-grade NAT, rapid IP rotation and spoofed network fingerprints can reduce the effectiveness of traditional detection controls.

This is where cybersecurity strategy, identity assurance, and advanced fraud detection – supported by specialists such as Saintynet Cybersecurity – become increasingly important.

Because this is not just infrastructure abuse.

It is trust abuse.

The Rise of Mobile Proxy Evasion as a Service

One of the more troubling findings is how openly commercialized parts of this ecosystem appear to be.

Some providers reportedly market services for:

• Social platform automation
• Botting operations
• “Real phone” U.S. connectivity
• Anti-fraud evasion
• Access to geo-restricted services

In some cases, researchers observed minimal KYC requirements — or none at all.

That raises questions for:

• Telecom providers
• Regulators
• Fraud prevention teams
• Digital platforms
• National security stakeholders

It also reflects a broader shift: abuse infrastructure is increasingly being sold as a service.

We have seen this evolution in ransomware.

Now we are seeing versions of it in mobile proxy abuse.

Technical Features Raising Concern

Among the capabilities highlighted in the research:

1. Automated IP Rotation

Some deployments reportedly force carrier reconnection through airplane mode cycling to obtain fresh IP addresses.

2. OS Fingerprint Spoofing

Proxy traffic can reportedly mimic Windows, Android, iOS or macOS signatures to weaken device fingerprint controls.

3. SMS Automation Support

Support for send/receive SMS creates obvious abuse potential around OTP flows and phone verification.

4. Multi-Protocol Tunneling

Support for SOCKS5, HTTP proxies, OpenVPN and VLESS expands operational flexibility.

5. Reverse Proxy Obfuscation

Infrastructure hiding complicates attribution and takedown efforts.

Taken together, this resembles abuse infrastructure engineered for resilience.

Global Implications

This matters far beyond fraud teams.

For governments, enterprises and platforms globally, these ecosystems can impact:

• Digital identity assurance
• Telecom security
• Election integrity
• Platform abuse prevention
• Financial fraud detection
• Threat intelligence operations

Optional MEA Lens

For Middle East and Africa organizations – particularly in fintech, telecom, e-government and digital services – mobile-first ecosystems can make abuse involving SIM infrastructure especially relevant.

As digital identity programs expand regionally, these risks deserve attention.

10 Recommended Security Actions

Organizations should consider the following:

1. Move Beyond IP-Based Trust

Do not rely on IP reputation alone for fraud detection.

2. Strengthen Device Intelligence

Use layered device and behavioral signals to detect spoofing.

3. Harden SMS/OTP Workflows

Reduce dependence on phone verification alone.

4. Monitor Mobile Proxy Abuse Indicators

Track suspicious carrier-origin traffic patterns.

5. Improve Bot Detection Models

Tune controls to detect mobile-origin automation.

6. Incorporate Infrastructure Intelligence

Leverage threat intelligence to monitor abuse-linked proxy ecosystems.

7. Review Identity Proofing Controls

Test resilience against mobile proxy-assisted fraud.

8. Expand Fraud Awareness Training

Strengthen security awareness and fraud defense programs through resources.

9. Engage Telecom and Platform Partners

Cross-sector coordination will matter.

10. Prepare for Abuse-at-Scale Scenarios

Design defenses assuming adversaries can rent sophisticated evasion infrastructure.

Bigger Industry Questions

The research raises a broader strategic issue:

If SIM farms can now be productized, distributed and commercially resold at scale…

What comes next?

• SIM farms integrated into cybercrime supply chains?
• Abuse marketplaces bundling identity fraud tooling?
• Mobile proxy infrastructure supporting AI-driven automation attacks?

These questions deserve deeper scrutiny.

Related coverage on infrastructure abuse and fraud ecosystems can also be explored.

Conclusion

The Infrawatch findings reveal something significant:

The mobile proxy ecosystem may be underpinned by a far more organized SIM farm infrastructure than many defenders realized.

What appears on the surface as proxy services may, in some cases, represent a shared global control plane enabling evasion, automation and abuse at industrial scale.

For security professionals, the takeaway is clear:

Trust models built around IP reputation alone are increasingly insufficient.

As abuse infrastructure evolves, defenders must evolve faster.