Investigate phishing infrastructure, regional threat actors and geofenced attack surfaces from the same IP class that real targets connect from — not from the easily fingerprinted datacenter ranges malicious operators already know to hide from.
Malicious infrastructure has been cloaking for a decade. Phishing kits check the visitor’s ASN against deny-lists of known scanner networks before rendering the payload. Malware distribution servers serve benign files to research networks and malicious payloads to residential and mobile IPs. Regional threat actors tailor their attacks to specific geographies — an Iran-focused campaign might never light up from a US vantage point.
Researchers who operate exclusively from hosted scanner farms see a curated, defanged version of the threat landscape. Mobile 4G proxies from France and Iran provide the vantage points that actually trigger the full behaviour of regional and mobile-targeted threats — which is what defensive teams need to catalogue, signature and defend against.
Your research traffic looks like a regular smartphone user on Orange, SFR, Bouygues, Free or MCI.
An Iran-targeted campaign will behave for a research IP in Isfahan the same way it does for a real Iranian victim.
We review our customer base and terminate accounts engaged in unauthorized intrusion or sanctions-violating activity.
Metadata only, short retention windows, GDPR-aligned. Your research traffic is not a retained dataset.
France for EU-facing research, Iran for regional threat intelligence.
Modern phishing infrastructure actively fingerprints visitors. If your request comes from a known security-research ASN (AWS, GCP, hosted scanners) or a datacenter network, the kit serves a benign decoy page — a bank home page, a 404, or a harmless redirect. The malicious version only renders to IPs that look like real victims. Mobile carrier IPs look like real victims.
Yes, when the engagement is authorized. Mobile proxies are frequently used to simulate realistic attacker infrastructure during sanctioned red-team operations. We require that you have explicit written authorization from the target organization. Unauthorized intrusion is an AUP violation and we will terminate accounts involved.
Observing publicly reachable content is generally legal under most jurisdictions when done for research and defensive purposes. Interacting with malicious content (executing malware, collecting credentials) may require a formal research agreement or controlled environment. We don’t provide legal advice — consult your compliance team before operating at scale, and document your research protocol.
We retain metadata required for security and billing (aggregate bandwidth, abuse-response records) for a limited period. We do not retain request-level payload or destination logs beyond what is needed for operational integrity. GDPR-aligned retention windows apply.
Research that involves observing publicly reachable Iranian internet infrastructure from within Iran is legal under most Western frameworks, subject to the usual sanctions exceptions for bona fide journalism and academic research. Our Iran proxies are explicitly sold for that kind of legitimate vantage-point acquisition. We do not support or enable activities that violate OFAC or EU sanctions regimes — see our AUP.
Research-team discounts available for qualifying academic and non-profit security organizations — mention it on the contact form.