BlogBusiness

After the NetNut Takedown: What Proxy Users Should Know About Ethical Residential Networks

Google and the FBI disrupted NetNut's residential proxy network in July 2026. Here's what proxy users should know about botnet vs. consent-based sourcing, and how to choose a compliant alternative.

NinjaProxy

On July 2, 2026, something unusual happened in the proxy industry: a publicly traded company's flagship product was seized by the FBI, its Google infrastructure accounts were disabled overnight, and millions of customers lost access to the residential proxy pool they had been paying for. The operation—coordinated by Google's Threat Intelligence Group (GTIG), the FBI, and network intelligence firm Lumen—targeted NetNut, one of the largest residential proxy networks in the world.

If you were a NetNut customer and found your workflows broken without warning, you are not alone. And before you sign up for the first alternative that appears in your search results, it is worth understanding exactly why this happened—and what to look for so it doesn't happen again.


What Was NetNut, and What Did Google and the FBI Actually Disrupt?

NetNut (also tracked internally by researchers as "Popa") offered residential proxy services at scale: a pool of over 2 million IP addresses belonging to real home internet connections around the world. Residential proxies are valuable because they appear to target sites as ordinary consumers, not as data center traffic, making them harder to block.

What NetNut did not advertise was how those 2 million home IPs were sourced.

According to GTIG's investigation—corroborated by independent research from Qurium, Synthient, Nokia Deepfield, and Spur—the vast majority of those devices were not enrolled by their owners. They were infected. Smart TVs, Android streaming boxes, and other consumer electronics were compromised through trojanized applications and malware including the Badbox 2.0 strain, or through pre-installed code on cheap hardware that shipped with backdoors already embedded. Their owners had no idea their home internet connections were being rented out to anonymous third parties.

In a single week in June 2026 alone, GTIG identified 316 distinct threat clusters using NetNut nodes as cover for password-spray attacks and nation-state espionage operations. The people routing cyberattacks through your neighbor's Roku didn't pay NetNut directly—they paid resellers who paid resellers—but the traffic all flowed through the same compromised device pool.

On July 2, Google disabled the Google accounts and infrastructure services NetNut depended on for command and control. The FBI seized netnut.com along with sister domains proxyjet.io and divinetworks.com. NetNut's parent company, Alarum Technologies (NASDAQ: ALAR), disputed the characterization, calling the allegations "demonstrably inaccurate," but the infrastructure was already gone.

For legitimate proxy users—marketers, researchers, price intelligence teams, ad verification professionals—the disruption was immediate and had nothing to do with their own activity. They were collateral damage from the underlying sourcing model.


The NetNut situation puts a sharp edge on a distinction that the proxy industry often obscures with vague marketing language: the difference between a botnet-sourced residential proxy and a consent-based (ethically sourced) residential proxy.

Botnet proxies are what they sound like. The IP addresses in the pool belong to devices that were infected with malware, jailbroken without user knowledge, or shipped with backdoors. The device owner does not know their connection is being used. They have not agreed to anything. From their perspective, their home internet is occasionally slow; from the proxy network's perspective, their IP address is inventory. When law enforcement eventually takes action—as they did with NetNut and as they did with 911.re in 2022—customers lose access instantly and without recourse.

Consent-based residential proxies work differently. The IP addresses in the pool belong to real residential connections whose owners have explicitly opted in—typically through a desktop or mobile app that clearly explains the terms: your idle bandwidth is shared in exchange for a free premium tier, a payment, or some other tangible benefit. Reputable operators can point to the specific apps through which users enrolled, the consent flow those users saw, and the mechanism by which users can opt out at any time.

The distinction matters not just ethically but legally and operationally. Botnet proxies carry ongoing regulatory and law enforcement risk. Consent-based networks, when operated correctly, do not.


Why This Keeps Happening—And Why It Is Getting Harder to Ignore

NetNut is not an isolated case. 911.re, one of the largest residential proxy networks that ever existed, shut down abruptly in 2022 after KrebsOnSecurity exposed that its IP pool was built largely from malware-infected Windows systems. LuxSocks, VIP72, and several other services collapsed under similar circumstances.

The pattern is consistent: a provider competes on pool size and price, achieves scale through infection rather than consent, attracts cybercriminal customers alongside legitimate ones, and eventually draws enough law enforcement attention to collapse—often overnight.

At the same time, the legal perimeter around proxy use and web scraping is tightening independent of the botnet question. In October 2025, Reddit filed a federal lawsuit in New York against Perplexity AI and three data partners—Oxylabs, AWMProxy, and SerpApi—alleging that the companies used large-volume proxy networks, fake user agents, and IP rotation to bypass access controls and scrape Reddit's content without authorization. The complaint introduced the phrase "data laundering" to describe how unlawfully obtained data gets laundered through intermediaries until it appears legitimate.

The Reddit v. Perplexity case is still in early stages, but its framing is significant: courts and plaintiffs are increasingly treating the proxy layer itself—not just the end use—as part of the liability chain. Proxy customers who use botnet-sourced infrastructure are exposed not just to operational disruption but to being named alongside their provider when enforcement catches up.


What to Look For in a Compliant Proxy Provider

If you are evaluating alternatives after the NetNut disruption, here is a practical checklist for assessing whether a residential proxy provider's sourcing is legitimate:

1. Transparent opt-in disclosure The provider should be able to tell you how users are recruited into the peer network—specifically which apps or programs users join, what disclosure they see before enrolling, and what opt-out mechanism exists. Vague claims about "ethically sourced" proxies with no specifics are a red flag.

2. GDPR and CCPA compliance documentation Both regulations require that personal data—including IP addresses when they can identify an individual—be processed with an appropriate legal basis. For residential proxies, that typically means explicit consent. Ask for the provider's Data Processing Agreement (DPA) and confirm it covers the jurisdictions relevant to your use case. A provider that cannot produce a DPA is likely not compliant.

3. No criminal actor history Run the provider name and any parent company names through public sources: KrebsOnSecurity, Proxyway's historical research, and court records. Several current proxy brands are rebrands of networks with law enforcement history.

4. Selective filtering of use cases Ethical providers turn away customers. If a provider will route traffic for any use case, no questions asked, that tells you something about the customer base sharing your exit nodes.

5. Operational stability indicators Publicly traded parent companies are not inherently safer (Alarum was NASDAQ-listed), but verifiable corporate structure, published terms of service, and a real customer support organization are signals that there is something to lose if the service is used maliciously.

6. Pool size claims vs. verifiable capacity Be skeptical of very large pool claims from newer providers. Building a 10-million-IP consent-based network takes years and significant investment in user acquisition. Very large pools from unknown providers frequently indicate botnet sourcing.


NinjaProxy: Ethical Sourcing as a Feature, Not a Footnote

NinjaProxy's residential network is sourced from consent-based pools with disclosed opt-in and opt-out. Peer contributors know their idle bandwidth is being used and can withdraw at any time. The network is GDPR and CCPA compliant—not as a marketing claim, but as a practical requirement of how it was built.

That design choice has operational consequences that benefit customers directly:

No overnight collapse risk. Because the network isn't built on infected devices or legal gray zones, there is no law enforcement target. The infrastructure Google and the FBI disrupted on July 2 doesn't exist in NinjaProxy's stack.

Consistent IP quality. Consent-based nodes tend to be more stable than malware-infected devices, which can drop off the network as users patch their devices or change hardware. Pool quality is more predictable.

Defensible use records. If your scraping or intelligence-gathering work is ever scrutinized—by a target site, a regulator, or in litigation—the proxy layer you used matters. Traffic routed through a consent-based network with documented opt-in flows is categorically different from traffic routed through compromised household devices.

NinjaProxy supports the full range of use cases that residential proxies are built for: web scraping, price monitoring, ad verification, brand protection, market research, and SERP tracking. For teams with compliance obligations—legal, finance, e-commerce—that combination of capability and sourcing integrity is increasingly not optional.


What This Means for Displaced NetNut Users

If you were a NetNut customer, the immediate priority is restoring your workflows. But the right move isn't to find the fastest like-for-like replacement without asking how the pool was built.

The disruption you experienced was a direct consequence of the sourcing model. Choosing a replacement that uses the same sourcing model—botnet-based, malware-infected devices enrolled without consent—means accepting the same operational and legal risk. The next disruption may not come from Google and the FBI. It may come from a site you're scraping that names your proxy provider in a lawsuit, or a regulator that decides the chain of custody for that data matters.

The NetNut takedown is a useful forcing function: a moment when the underlying infrastructure that many proxy users never thought about became impossible to ignore. It is also an opportunity to migrate to infrastructure that will not put you back in the same position in six months.


Getting Started

NinjaProxy offers a free trial with no credit card required. If you're evaluating providers after the NetNut disruption, start here to test the network against your specific use case—web scraping, price monitoring, ad verification, or otherwise.

For teams with compliance requirements, our documentation covers GDPR and CCPA specifics, Data Processing Agreement availability, and how to configure geotargeting for your jurisdiction.


Sources: - Google Disrupts NetNut Residential Proxy Network — The Hacker News - Google, FBI Disrupt NetNut — SecurityWeek - NetNut cracked as Google and FBI target 2 million-device botnet — The Register - FBI Seizes NetNut Proxy Platform — Krebs on Security - Reddit sues Perplexity AI for unauthorized web scraping — ContentGrip - Reddit vs Perplexity: The AI Crawler Data Scraping Lawsuit — Hosted.com