A big proxy network is not automatically a responsible proxy network. If July 2026 taught proxy buyers one thing, it's that. Google's NetNut disruption dragged a question onto the front page that most of us should've been asking all along: where do these IPs actually come from, and who checked?
Disclosure: BestProxyReviews is reader-supported. This page contains affiliate links and compensated placements, and we may earn a commission when you buy through them, at no extra cost to you. See our disclaimer for details.

What happened with NetNut?
On July 2, 2026, Google Threat Intelligence Group published a post titled Google's Continued Disruption of Malicious Residential Proxy Networks. The short version: Google said it took coordinated action with the FBI, Lumen, and others against the NetNut residential proxy network, which also goes by the name Popa.
Per Google's post, the action ran on several fronts at once. Google accounts and services that were being used for malware command and control got disabled. Technical intelligence about NetNut SDKs and backend infrastructure went out to platform providers, law enforcement, and research firms. And Play Protect started warning users and disabling apps known to carry NetNut SDKs.
I read a lot of threat-intel posts for this site, and two numbers in this one stopped me cold. Google put the network at a minimum of 2 million devices, and said the disruption cut the available device pool by millions. Then there's this: in one single week of June 2026, Google's team counted 316 distinct threat clusters using suspected NetNut exit nodes — cybercriminal groups and espionage groups among them — plus NetNut botnet plugin components tied to large-scale botnets like Badbox 2.0. But the sentence that should worry buyers most is quieter than any of those stats: Google said it had high confidence that many popular residential proxy brands were white-labeling the NetNut botnet. No names. I break down what that means for your vendor shortlist in the residential proxy supply-chain audit guide.
Worth remembering, too: this wasn't a one-off. Google framed it as a continuation of its January 2026 disruption of the IPIDEA proxy network. That's two residential proxy networks taken apart in six months.
Now, before anyone spins this into “residential proxies are dead” — that's not what the post says, and sloppy readings help nobody. Google described one network, its SDK and infrastructure model, and the reseller ecosystem around malicious residential proxy operations. Precision matters here, and I'll try to keep it through the rest of this piece.

What happened next — and what NetNut's parent company says
The next day's independent coverage filled in the enforcement picture. BleepingComputer reported on July 3 that the operation involved Google, the FBI, Lumen, Shadowserver and partners, and that the FBI seized the netnut.com domain. The Register caught a detail I found telling: netnut.com was showing a seizure notice while netnut.io was still up and running at the time they published. Proxyway reported that the FBI and IRS seized netnut.com, proxyjet.io, and divinetworks.com, then updated later that netnut.io and alarum.io had gone down too.
And NetNut's side of the story? Its parent company, Alarum Technologies (NASDAQ: ALAR), acknowledged the domain seizures on July 2, said it would fully cooperate with law enforcement, and framed the whole thing as third parties misusing its infrastructure. A July 3 update from Alarum confirmed more seizures, said parts of its proxy network were paused, warned investors of a likely material adverse effect if the disruptions persist — and noted that, as of that date, neither Alarum nor NetNut had been formally contacted by the FBI or any other authority.
So let's be precise about where things stand. Google's own claim is “significant degradation” of the network. Not a shutdown. The company behind NetNut is still operating, still disputing the framing, and cooperating at the same time. None of that softens the buyer lesson, though. A network people depended on lost millions of devices and a handful of domains inside a week — and every customer of every brand quietly reselling that capacity ate the loss overnight, whether they knew their supply chain or not.
The buyer lesson: don't buy a proxy network you can't explain
Most proxy comparison pages (mine included, for years) lead with pool size, locations, price per GB, and success rate. Those still matter. They're just not the first questions anymore.
Here's what I'd want answered before sending production traffic through any residential proxy provider today:
- How are residential IPs sourced?
- What exactly does user consent look like?
- Which use cases are blocked before KYC?
- How does the provider monitor abuse and respond to reports?
- What third-party certifications or assurance evidence can procurement review?
If the answer to all five is some version of “we have millions of IPs,” you didn't get a compliance answer. You got a capacity claim wearing one.
I wasn't alone in reading it this way. Sandipan Bhaumik, a lead data and AI solutions architect at Databricks, wrote a widely discussed LinkedIn post after the event and gave the problem a name I plan to steal: the “Compliance Illusion.” His point, paraphrased: enterprises keep accepting vague ethical-sourcing promises in contracts without ever demanding proof of how the service actually operates, or what happens when its controls fail. That's exactly the failure this checklist exists to prevent. The fix isn't stronger promises. It's evidence you can actually review.
What to ask your provider in the first 72 hours
Already using a residential proxy provider when news like this breaks? Don't sit on it until the next quarterly review. Send a written request the same week and make the vendor answer specifically:
- Exposure: were any of your residential pools, SDK sources, or reseller partners directly affected by this disruption?
- Capacity impact: has available residential capacity changed, and if so by how much for the pool or products we use?
- Supply-chain mapping: do any of our purchased products depend on upstream networks or white-label arrangements outside your first-party control?
- Controls: what sourcing, KYC, abuse, or monitoring controls would have prevented this issue from existing in your own network?
- Continuity: what failover, rerouting, or customer-notice plan applies if one upstream source is suspended?
To be clear about the point of this exercise: you're not collecting PR statements. You're finding out whether your supplier understands its own network well enough to answer under pressure. Some do. The ones that don't tend to reveal it fast.
ARDC's distinction is the right one
On July 7, 2026, the Alliance for Responsible Data Collection published a response that I think gets the framing right: residential proxy technology is not the problem; irresponsible operation is.
That line matters if you buy proxies for a living. Residential proxies power plenty of legitimate work — security research, ad verification, brand protection, market research, price comparison, academic research, checking what a page looks like from another country. All of it depends on the network being run responsibly.
What does “responsibly” mean in practice? ARDC's list: informed consent, clear user notice, meaningful user control, a simple opt-out path, acceptable use policies, monitoring, abuse prevention, and accountability. Hold that next to “we have a big IP pool” and you can see how far the industry's default sales pitch is from an actual procurement standard.
What a credible vendor response looks like
Any vendor can write a reassuring email after a disruption. I've read a stack of them this month. The question is whether there's operating detail underneath the reassurance.
- Credible: the vendor can say whether it was exposed, which products were or weren't affected, and what customers actually experienced.
- Better: the vendor can explain why its sourcing model, KYC gating, and abuse controls differ from the disrupted network's pattern.
- Weak: brand-level reassurance only, a “fully compliant” claim with nothing behind it, or a flat refusal to discuss upstream relationships.
One more distinction I'd push on: “no evidence of impact” versus “no possibility of impact.” The first can be an honest answer at a point in time. The second is marketing until the provider shows you why it controls its entire supply chain.
What irresponsible operation looks like
Google's report is blunt about the mechanics: home devices become proxy exit nodes because proxy code is hidden inside applications, pre-installed on devices, or bundled through SDK practices the device owner never really understood. The owner's home IP then carries someone else's traffic — including, potentially, abusive traffic.
Buy from a network like that and you inherit three problems:
- Reputational risk: your vendor could turn out to be associated with hidden device enrollment or botnet-style infrastructure.
- Operational risk: capacity can vanish suddenly when platforms, security firms, or law enforcement partners move against the network.
- Compliance risk: when procurement, legal, or a customer asks how your traffic was sourced, you may have no answer.
That third one is the sleeper. Teams underestimate it constantly. If your data pipeline runs on a network that can't explain its own supply chain, your pipeline is only as defensible as your vendor's vaguest sentence.
What responsible operation should look like
Flip it around, and here's the minimum documentation I'd expect from a residential proxy provider that takes this seriously:
| Control | What to ask | Why it matters |
|---|---|---|
| Consent-based IP sourcing | How do users opt in, what do they receive, and how do they opt out? | It separates transparent participation from hidden device enrollment. |
| KYC and customer review | Which domains or categories are blocked until the customer is reviewed? | It prevents anonymous buyers from using the network for obvious abuse paths. |
| Abuse handling | Is there a public abuse-reporting path and a documented response process? | It gives websites and affected parties a way to resolve misuse. |
| Monitoring and filtering | Does the provider classify traffic and monitor high-risk use cases? | Policies matter only when they are connected to enforcement. |
| Independent assurance | Which certifications, audits, or assurance reports can procurement inspect? | It turns ethics claims into reviewable evidence. |
Why Bright Data is the obvious compliance-first comparison point
Bright Data isn't the only residential proxy provider worth your time. But if I'm setting up a compliance-first vendor conversation right now, it's the cleanest reference point I can hand a procurement team, for one simple reason: there's actually material to review.
Bright Data's Trust Center is organized around customer protection, partner protection, World Wide Web safeguards, privacy, and policies/certifications. It points buyers to the exact topics this article keeps hammering on — KYC, preventing abuse, web monitoring, usage monitoring and filtering, public web data — and lists certification signals including GDPR, ISO 27001:2022, ISO 27017, ISO 27018, SOC 2, and SOC 3.
There's also a PwC assurance report page, which says Bright Data engaged PwC for an ISAE 3000 assurance engagement focused on internal compliance and ethics controls. The resulting report is dated June 29, 2025.
Does any of that make the buyer's homework optional? No — and PwC's own disclosure terms say as much: the report isn't a replacement for buyer-side inquiries and procedures. But it gives your procurement team something concrete to open and read, and that's the whole difference between a compliance claim and a compliance artifact.
Read our Bright Data review if you want the broader proxy-buyer view, or start with our web scraping ethics checklist if supplier due diligence is your main concern.
How to use this event in vendor review
If you're reviewing residential proxy vendors right now, these are the questions I'd add to the checklist today, not next quarter:
- Do you source residential IPs directly, through partners, through SDKs, or through resellers?
- Can you document user notice, consent, value exchange, and opt-out?
- Do you reject or hold suspicious use cases before KYC?
- Which customer actions trigger review, throttling, or blocking?
- Can websites report abuse through a dedicated channel?
- Do you maintain query logs or provenance records for misuse investigations?
- Which certifications and assurance documents are current?
- What happens if part of your upstream supply chain is disrupted?
Don't skip that last one. Google's post specifically described a reseller ecosystem where capacity moves between providers — which means the brand on your invoice and the network behind it can be two different things. I turned that problem into its own eight-question checklist in the residential proxy supply-chain audit guide.
And a word of caution in the other direction: don't let a headline stampede you into ripping out your vendor by Friday. A disruption should speed up your evidence collection, not replace it. Screen your current supplier harder, line it up against a stronger compliance-first alternative — my tested NetNut alternatives list is the place to start — and write down why whatever you keep is acceptable. That document is worth more than the panic.
What not to conclude
Don't walk away thinking every residential proxy use case is abusive — Google's post doesn't say that, and neither does ARDC. And don't assume a provider is safe just because it's big. If NetNut proved anything, it's that scale without transparency is precisely the wrong signal to trust.
The takeaway I'd actually keep: residential proxies are powerful infrastructure, and powerful infrastructure needs governance you can verify.
Final verdict
The NetNut disruption changed my first question for any residential proxy vendor. It used to be “how many IPs, and where?” Now it's “can you prove where the IPs come from, who gets access, what gets blocked, and how abuse gets handled?”
Vague answer? Keep looking. But if the answer comes back with documented KYC, consent-based sourcing, monitoring, abuse handling, current certifications, independent assurance, and a credible account of disruption exposure — that's a provider built to survive a real procurement review. It's also why Bright Data is the first provider I'd evaluate for a compliance-first residential proxy workflow.
For the broader framework, read Web Scraping Ethics in 2026 and the updated web scraping practices guide.
