When the FBI seized NetNut in July 2026 over a botnet of roughly two million hijacked devices, it exposed an uncomfortable truth about the residential proxy industry: a large share of "residential" IPs come from people who never knowingly agreed to sell their bandwidth. If your business relies on residential proxies, the single most important question you can ask a provider is deceptively simple — where do your IPs actually come from? This guide explains the two ways residential proxies are sourced, the red flags that reveal an unethical (and legally risky) network, and a practical checklist to vet any provider before you trust it.
Every residential proxy pool is built one of two ways. The difference is not a technicality — it is the difference between infrastructure you can rely on and infrastructure that can vanish overnight under a law-enforcement banner.
Users install an app or SDK that clearly discloses that a slice of their idle bandwidth will be shared, they actively agree, and they are compensated for it — with cash, rewards, premium features, or an ad-free experience. Crucially, they can opt out at any time. The people whose IPs make up the pool know exactly what they signed up for. This is the sustainable, legal way to build a residential network.
Malware or a hidden SDK silently conscripts consumer devices — home routers, phones, smart TVs, and IoT gadgets — and their bandwidth is resold as "residential" proxies without the owner ever knowing. This is the model behind the NetNut/Popa takedown, and the earlier 911 S5 network that was dismantled in 2024. The end user has no idea their device is a proxy node, and no way to say no. It is cheap to build and catastrophic to depend on.
Even setting ethics aside, sourcing is a hard business risk:
You can usually tell a lot about a provider from how it talks about its pool. Here is the quick tell:
| ๐ฉ Red flags (walk away) | โ Green flags (trustworthy) |
|---|---|
| Suspiciously cheap for a "huge" residential pool | Fair pricing that reflects real, compensated supply |
| No clear explanation of how IPs are sourced | Public, plain-English sourcing statement |
| Pool tied to "free VPNs" or apps that bury the resale in fine print | Named opt-in apps/SDKs where users knowingly consent and are paid |
| No way for the underlying users to opt out | Users can leave the network at any time |
| Evasive or vague answers about supply | Willing to explain the supply chain and abuse handling |
| Named in abuse reports, botnet research, or takedowns | Clean track record and cooperation with abuse reports |
Before you commit, send these five questions to sales or support. A provider that cannot answer them clearly is a provider to avoid:
Clear, confident answers are a good sign. Deflection, buzzwords, or "that's proprietary" are not.
SpyderProxy is built the opposite way to a botnet. Our residential IPs come from ethically-sourced, opt-in networks where users knowingly consent to and are compensated for sharing a portion of their bandwidth — never from hijacked or malware-compromised devices. And because our pool spans several independent networks — rotating residential, static residential (ISP), datacenter, and 4G/5G mobile — you are not dependent on any single pool that could be disrupted. The result is infrastructure that is both a clean conscience and genuinely resilient.
If you are re-evaluating your provider after the NetNut takedown, start with our NetNut alternative guide, or read up on whether proxies are safe and what a residential proxy actually is.
It means the residential IPs in a proxy pool come from real users who knowingly opted in and are compensated for sharing a portion of their bandwidth, and who can opt out at any time. The opposite is a botnet, where malware conscripts devices without the owner's knowledge or consent.
Two ways: ethically, through opt-in apps and SDKs where users consent and are paid; or unethically, through malware that hijacks routers, phones, and IoT devices and resells their bandwidth without consent. The NetNut and 911 S5 takedowns are examples of the second model.
Using residential proxies is legal, and scraping publicly accessible data is generally permissible. The legal and ethical risk is in the sourcing: if the pool is a botnet, your traffic routed through unknowingly-compromised devices, which is a liability. Choosing an ethically-sourced, opt-in provider removes that risk.
Ask where the IPs come from and whether users opt in and are compensated; look for a public sourcing statement; search for the provider's name alongside "botnet" or "seized"; and test a sample of exit IPs against reputation databases. Evasiveness, no opt-out for underlying users, and prices that are too good to be true are the main red flags.
Beyond ethics, botnet-backed networks can be seized overnight and take your operation offline, expose you to legal and reputational risk, and hand you low-trust IP ranges shared with criminals. Ethically-sourced pools are more stable, cleaner, and increasingly required in enterprise vendor reviews.
Yes. SpyderProxy's residential IPs come from opt-in networks where users consent to and are compensated for sharing bandwidth, not from hijacked devices, and our pool spans several independent networks for resilience.
The NetNut seizure made one thing clear: how a residential proxy network is sourced is not a footnote — it is the whole risk profile. Ethically-sourced, opt-in pools are stable, legal, and clean; botnet-backed pools are a time bomb. Ask the five questions, check the IP reputation, and be wary of prices that are too good to be true. A few minutes of vetting protects you from being the next provider's collateral damage.
Want proxies you never have to second-guess? Start with SpyderProxy residential proxies from $1.75/GB — ethically sourced, spread across multiple independent networks, in 195+ countries, and online right now.