Cyber Incident Victim: 911[.]re

911[.]re, a long-running residential proxy service operating since 2015, permanently ceased operations on July 28, 2022, following a destructive data breach that compromised its core infrastructure. The incident began in early July when attackers exploited an unauthenticated application programming interface (API) responsible for processing user financial deposits, manipulating account balances for an unspecified number of customers. This breach occurred ten days after KrebsOnSecurity published an investigative report detailing 911’s business model, which relied heavily on pay-per-install affiliate programs that covertly bundled proxy software with free utilities and pirated software to expand its network of compromised Windows devices. Within hours of the article’s publication on July 19, 911 suspended new user registrations and balance top-ups, announcing a review of all existing accounts for compliance with terms of service. This triggered widespread service disruptions reported by users across cybercrime forums, with speculation that 911 was implementing stricter "know your customer" measures to filter criminal users. Forensic investigation revealed attackers had not only abused the payment API but also overwrote critical servers and destroyed both primary data and backups, rendering service restoration impossible. The final shutdown notice cited irreversible damage from the July 28 server destruction event, which prevented legitimate user logins and eliminated any path to business continuity.

The breach caused immediate operational paralysis for 911’s global user base, particularly impacting cybercriminal ecosystems that depended on the service as critical infrastructure following the recent closures of competing proxy networks VIP72 and LuxSocks. Attackers achieved comprehensive system compromise by targeting both transactional components (via API exploitation) and persistence mechanisms (through data and backup destruction), effectively eliminating 911’s capacity to validate legitimate users or restore services. Industry observers noted the incident would likely cause temporary disruption to fraud campaigns targeting financial institutions, e-commerce platforms, and cryptocurrency services, as former customers lacked direct replacements for 911’s large pool of residential IP addresses perceived as "clean" by target systems. Concurrently, competing proxy services like Microleaves—which experienced a similar API-related breach disclosure the same week—faced increased scrutiny over their security practices and continued reliance on pay-per-install distribution methods. 911’s operational response included immediate isolation of compromised systems through recharge system deactivation and registration suspension, though these measures proved insufficient against the attacker’s systematic destruction of core infrastructure. The permanent termination of services created a supply gap in the cybercrime proxy market, with forum discussions indicating no comparable alternatives could immediately replicate 911’s scale or reliability.