Or even worse, lots of them are using barely legal residential proxies so the requests are coming from everywhere. In Drew DeVault's article linked in this post he complained precisely about the residential-looking source IP addresses [0]. And I think I remember something about a Chinese company, some months ago, very aggressively scraping using that method.

Companies like DataImpulse [1] or ScraperAPI [2] will happily publicize their services with that specific target.

--

  0: https://drewdevault.com/2025/03/17/2025-03-17-Stop-externalizing-your-costs-on-me.html
  1: https://dataimpulse.com/use-cases/ai-proxies/
  2: https://www.scraperapi.com/solutions/ai-data/

Are these "residential proxies" assumed to be infected devices part of a botnet or malicious apps on users' phones?

A lot of these residential proxy as a service companies just use regular ISPs to run their automated headless browsers. It doesn't need to be illegal.

I guess iot devices and mobile apps.

Unethical, definitely. Illegal, no.