Behind some of the biggest "residential proxy" services lies an uncomfortable secret: the IPs are not volunteered — they are stolen. A residential proxy botnet is a network of ordinary consumer devices — home routers, phones, smart TVs, IoT gadgets — that malware has quietly conscripted and resold as proxies, without the owner ever knowing. A string of law-enforcement takedowns, most recently the FBI's seizure of NetNut in July 2026, has pulled back the curtain on just how common this model is. This guide explains what a residential proxy botnet is, walks through the biggest takedowns, and shows you how to make sure the proxies you pay for are not built on hijacked devices.
Residential proxies route your traffic through real home IP addresses, which is what makes them so effective — websites treat them as genuine users. There are two ways a provider gets those IPs:
A residential proxy botnet is the second kind. To the person whose device is infected, nothing looks wrong — but their home connection is quietly relaying other people's traffic, and their IP can end up implicated in fraud, attacks, or worse. To the customer buying that proxy access, they are unknowingly routing through victims' devices on infrastructure that can be seized overnight.
Law enforcement has dismantled a series of these networks. The pattern is remarkably consistent: a "free" app or malware builds the botnet, a proxy marketplace sells access, and eventually the whole thing collapses under a seizure banner.
For years, 911[.]re was one of the largest residential proxy services on the market. In 2022 it abruptly shut down after security journalist Brian Krebs revealed it had built its pool largely through "free" VPN and utility apps that silently turned users' devices into proxies. It was the first big public crack in the residential-proxy-as-botnet model.
The U.S. Department of Justice announced the takedown of RSOCKS, a botnet that comprised millions of compromised devices worldwide — initially Internet-of-Things devices, later expanding to home and business computers. Operated out of Russia, it was sold as a residential proxy service, with customers renting access to the hijacked IPs.
The DOJ dismantled the IPStorm botnet, which had infected Windows, Mac, Linux, and Android devices and sold access as a proxy and anonymization service. Its operator pleaded guilty to hacking charges. IPStorm showed the model was not limited to one platform — anything with an internet connection was a target.
According to the U.S. Department of Justice, the 911 S5 botnet was likely the largest ever, spanning more than 19 million unique IP addresses across nearly 200 countries (over 613,000 in the U.S. alone). It ran from roughly 2014 through July 2022, distributed through malicious "free" VPN apps such as MaskVPN and DewVPN that secretly enrolled devices. Its administrator, YunHe Wang, was arrested in Singapore in May 2024. Investigators tied 911 S5 to an estimated $5.9 billion in losses from 560,000 fraudulent unemployment claims, and seized around $30 million in assets. It was, in effect, a residential proxy service built entirely on stolen bandwidth.
Most recently, the FBI seized NetNut — a well-known residential proxy provider operated by the publicly traded company Alarum Technologies (NASDAQ: ALAR). Investigators and security researchers linked NetNut to the "Popa" botnet of roughly two million compromised devices, from routers to smart TVs, allegedly used without their owners' consent. Google, Lumen, and other partners assisted, and researchers reported hundreds of distinct threat-actor groups — including cybercriminal and state-espionage crews — using suspected NetNut exit nodes. Alarum has said it is cooperating with investigators. For the full story and what to do if you were a customer, see our NetNut alternative guide.
The mechanics are almost always the same:
The uncomfortable truth: with a "free" VPN or proxy app, you are the product. Your bandwidth is the payment.
For the device owners whose IPs are hijacked: crimes committed through your connection are attributed to your IP, your bandwidth and security are compromised, and you never agreed to any of it.
For the customers who buy botnet-based proxies (often without realizing it):
You can vet a provider in a few minutes. The tells:
Our full checklist is here: how to tell if your residential proxies are ethically sourced.
Not all residential proxies are botnets — the ethical ones are built on opt-in networks where real users knowingly consent to and are paid for sharing bandwidth. That is how SpyderProxy sources its residential proxies: consented, compensated, revocable — never hijacked devices. And because our pool spans several independent networks (residential, ISP, datacenter, and 4G/5G mobile), you are not exposed to a single pool that could be taken down overnight. Ethical sourcing is not just the right thing to do — it is the only sourcing that does not put your operation one seizure away from zero.
It is a network of consumer devices — routers, phones, smart TVs, IoT gadgets — that malware or a hidden SDK has secretly turned into proxy exit nodes without the owner's consent. The hijacked bandwidth is then sold as "residential" proxies. Examples that have been taken down include 911 S5, RSOCKS, and NetNut.
No. Ethically-sourced residential proxies come from real users who opt in through a disclosed app or SDK and are compensated for sharing bandwidth, and who can opt out at any time. Only unethically-sourced networks are botnets. The problem is that many providers are not transparent about which they are.
According to the U.S. Department of Justice, 911 S5 was likely the world's largest botnet ever, with more than 19 million IP addresses across nearly 200 countries. It ran from about 2014 to 2022, was distributed through malicious free VPN apps, and was sold as a residential proxy service. Its administrator was arrested in 2024, and it was linked to billions of dollars in fraud.
In July 2026 the FBI seized NetNut after investigators and researchers linked it to the "Popa" botnet of roughly two million devices allegedly compromised without consent. The network was reportedly used by cybercriminal and espionage groups. NetNut's parent, Alarum Technologies, has said it is cooperating with law enforcement.
Operating a botnet is a serious crime. For customers, knowingly using stolen-bandwidth infrastructure carries real legal and reputational risk, and even unknowing use can implicate your traffic in activity routed through victims' devices. The safe choice is an ethically-sourced, opt-in provider.
Choose a provider that clearly discloses its sourcing, uses opt-in networks where users consent and are compensated, and has no history of takedowns. Ask where the IPs come from, be skeptical of prices that are too good to be true, and test exit-IP reputation before you commit.
From 911[.]re to 911 S5 to NetNut, the same story keeps repeating: a proxy service quietly built on hijacked devices, growing huge on stolen bandwidth, then vanishing under a law-enforcement seizure — taking its customers' operations down with it. The lesson is simple. How a residential proxy network is sourced is the entire risk profile, and "free" or suspiciously cheap residential IPs almost always come at someone else's expense. Choose consented, ethically-sourced proxies, and you never have to wonder whether the FBI is about to end your data pipeline.
Build on IPs that were volunteered, not stolen: SpyderProxy residential proxies from $1.75/GB — ethically sourced, across multiple independent networks, in 195+ countries.