SpyderProxySpyderProxy
↖ Back to blog

Residential Proxy Botnets Explained: 911 S5, NetNut & the Takedowns

Daniel K./Wed Jul 08 2026/9 min read

Behind some of the biggest "residential proxy" services lies an uncomfortable secret: the IPs are not volunteered — they are stolen. A residential proxy botnet is a network of ordinary consumer devices — home routers, phones, smart TVs, IoT gadgets — that malware has quietly conscripted and resold as proxies, without the owner ever knowing. A string of law-enforcement takedowns, most recently the FBI's seizure of NetNut in July 2026, has pulled back the curtain on just how common this model is. This guide explains what a residential proxy botnet is, walks through the biggest takedowns, and shows you how to make sure the proxies you pay for are not built on hijacked devices.

What Is a Residential Proxy Botnet?

Residential proxies route your traffic through real home IP addresses, which is what makes them so effective — websites treat them as genuine users. There are two ways a provider gets those IPs:

  • Ethically — real users opt in through a clearly disclosed app or SDK and are compensated for sharing a slice of their idle bandwidth. They can leave at any time.
  • As a botnet — malware or a hidden SDK infects consumer devices and turns them into proxy exit nodes without the owner's knowledge or consent. Their bandwidth is then sold to strangers, sometimes including criminals.

A residential proxy botnet is the second kind. To the person whose device is infected, nothing looks wrong — but their home connection is quietly relaying other people's traffic, and their IP can end up implicated in fraud, attacks, or worse. To the customer buying that proxy access, they are unknowingly routing through victims' devices on infrastructure that can be seized overnight.

The Biggest Residential Proxy Botnet Takedowns

Law enforcement has dismantled a series of these networks. The pattern is remarkably consistent: a "free" app or malware builds the botnet, a proxy marketplace sells access, and eventually the whole thing collapses under a seizure banner.

911[.]re (2022)

For years, 911[.]re was one of the largest residential proxy services on the market. In 2022 it abruptly shut down after security journalist Brian Krebs revealed it had built its pool largely through "free" VPN and utility apps that silently turned users' devices into proxies. It was the first big public crack in the residential-proxy-as-botnet model.

RSOCKS (June 2022)

The U.S. Department of Justice announced the takedown of RSOCKS, a botnet that comprised millions of compromised devices worldwide — initially Internet-of-Things devices, later expanding to home and business computers. Operated out of Russia, it was sold as a residential proxy service, with customers renting access to the hijacked IPs.

IPStorm (2023)

The DOJ dismantled the IPStorm botnet, which had infected Windows, Mac, Linux, and Android devices and sold access as a proxy and anonymization service. Its operator pleaded guilty to hacking charges. IPStorm showed the model was not limited to one platform — anything with an internet connection was a target.

911 S5 (May 2024) — "the world's largest botnet ever"

According to the U.S. Department of Justice, the 911 S5 botnet was likely the largest ever, spanning more than 19 million unique IP addresses across nearly 200 countries (over 613,000 in the U.S. alone). It ran from roughly 2014 through July 2022, distributed through malicious "free" VPN apps such as MaskVPN and DewVPN that secretly enrolled devices. Its administrator, YunHe Wang, was arrested in Singapore in May 2024. Investigators tied 911 S5 to an estimated $5.9 billion in losses from 560,000 fraudulent unemployment claims, and seized around $30 million in assets. It was, in effect, a residential proxy service built entirely on stolen bandwidth.

NetNut / "Popa" (July 2026)

Most recently, the FBI seized NetNut — a well-known residential proxy provider operated by the publicly traded company Alarum Technologies (NASDAQ: ALAR). Investigators and security researchers linked NetNut to the "Popa" botnet of roughly two million compromised devices, from routers to smart TVs, allegedly used without their owners' consent. Google, Lumen, and other partners assisted, and researchers reported hundreds of distinct threat-actor groups — including cybercriminal and state-espionage crews — using suspected NetNut exit nodes. Alarum has said it is cooperating with investigators. For the full story and what to do if you were a customer, see our NetNut alternative guide.

How These Networks Operate

The mechanics are almost always the same:

  1. The lure. A "free" VPN, a free proxy app, a game mod, or a bundled SDK inside another app. The catch is buried in the fine print — or there is no disclosure at all, just malware.
  2. The infection. Once installed, the device becomes a proxy exit node. It sits quietly, relaying other people's traffic through the owner's home IP.
  3. The marketplace. The operator sells access through a slick proxy dashboard, letting customers pick IPs by country, city, or ISP — the same features a legitimate provider offers.
  4. The customers. Scrapers, ad-fraud operators, and in the worst cases cybercriminals and spies, all routing through unwitting households.

The uncomfortable truth: with a "free" VPN or proxy app, you are the product. Your bandwidth is the payment.

Why This Is Dangerous — For Everyone

For the device owners whose IPs are hijacked: crimes committed through your connection are attributed to your IP, your bandwidth and security are compromised, and you never agreed to any of it.

For the customers who buy botnet-based proxies (often without realizing it):

  • Sudden shutdown. When the botnet is seized, your entire operation goes dark instantly — no notice, no migration window.
  • Legal and reputational exposure. Your traffic routed through unknowingly-compromised victims' devices — a liability no serious business wants.
  • Dirty IPs. Botnet exit nodes are shared with criminals, so those ranges are blocklisted and low-trust, quietly tanking your success rates.

How to Tell If Your Provider Is a Botnet

You can vet a provider in a few minutes. The tells:

  • Sourcing. Ask directly where the residential IPs come from, whether users opt in and are compensated, and whether they can opt out. Evasiveness is a red flag.
  • Price. Bandwidth from genuinely consented users costs money. A pool that badly undercuts everyone is often cutting the one corner that matters.
  • Reputation. Search the provider's name alongside "botnet" and "seized." A history of takedown coverage is decisive.
  • IP quality. Test sample exit IPs against reputation databases; botnet ranges show up as flagged or abusive.

Our full checklist is here: how to tell if your residential proxies are ethically sourced.

The Ethical Alternative

Not all residential proxies are botnets — the ethical ones are built on opt-in networks where real users knowingly consent to and are paid for sharing bandwidth. That is how SpyderProxy sources its residential proxies: consented, compensated, revocable — never hijacked devices. And because our pool spans several independent networks (residential, ISP, datacenter, and 4G/5G mobile), you are not exposed to a single pool that could be taken down overnight. Ethical sourcing is not just the right thing to do — it is the only sourcing that does not put your operation one seizure away from zero.

Frequently Asked Questions

What is a residential proxy botnet?

It is a network of consumer devices — routers, phones, smart TVs, IoT gadgets — that malware or a hidden SDK has secretly turned into proxy exit nodes without the owner's consent. The hijacked bandwidth is then sold as "residential" proxies. Examples that have been taken down include 911 S5, RSOCKS, and NetNut.

Are all residential proxies botnets?

No. Ethically-sourced residential proxies come from real users who opt in through a disclosed app or SDK and are compensated for sharing bandwidth, and who can opt out at any time. Only unethically-sourced networks are botnets. The problem is that many providers are not transparent about which they are.

What was the 911 S5 botnet?

According to the U.S. Department of Justice, 911 S5 was likely the world's largest botnet ever, with more than 19 million IP addresses across nearly 200 countries. It ran from about 2014 to 2022, was distributed through malicious free VPN apps, and was sold as a residential proxy service. Its administrator was arrested in 2024, and it was linked to billions of dollars in fraud.

Why was NetNut seized?

In July 2026 the FBI seized NetNut after investigators and researchers linked it to the "Popa" botnet of roughly two million devices allegedly compromised without consent. The network was reportedly used by cybercriminal and espionage groups. NetNut's parent, Alarum Technologies, has said it is cooperating with law enforcement.

Is it illegal to use a residential proxy botnet?

Operating a botnet is a serious crime. For customers, knowingly using stolen-bandwidth infrastructure carries real legal and reputational risk, and even unknowing use can implicate your traffic in activity routed through victims' devices. The safe choice is an ethically-sourced, opt-in provider.

How do I avoid botnet-based proxies?

Choose a provider that clearly discloses its sourcing, uses opt-in networks where users consent and are compensated, and has no history of takedowns. Ask where the IPs come from, be skeptical of prices that are too good to be true, and test exit-IP reputation before you commit.

Conclusion

From 911[.]re to 911 S5 to NetNut, the same story keeps repeating: a proxy service quietly built on hijacked devices, growing huge on stolen bandwidth, then vanishing under a law-enforcement seizure — taking its customers' operations down with it. The lesson is simple. How a residential proxy network is sourced is the entire risk profile, and "free" or suspiciously cheap residential IPs almost always come at someone else's expense. Choose consented, ethically-sourced proxies, and you never have to wonder whether the FBI is about to end your data pipeline.

Build on IPs that were volunteered, not stolen: SpyderProxy residential proxies from $1.75/GB — ethically sourced, across multiple independent networks, in 195+ countries.

Proxies Built on Volunteered IPs, Not Stolen Ones

SpyderProxy sources every residential IP from opt-in, compensated networks — never hijacked devices. From $1.75/GB across 195+ countries, spread over multiple independent networks.