Ethically Sourced Residential Proxies: Why Consent Matters After the Popa Botnet

Ethically sourced residential proxies come from devices whose owners opted in. The Popa botnet showed the alternative — 2 million hijacked smart TVs, a seized provider, and customers holding the risk. How consent-based sourcing works and what to ask any provider.

Ethically sourced residential proxies route traffic through devices whose owners gave informed consent to share their bandwidth — they know what they signed up for, they are compensated for it, and they can opt out at any time. The alternative stopped being theoretical on July 2, 2026, when the FBI and Google seized the domains of NetNut over the Popa botnet: roughly 2 million hijacked smart-TV devices whose bandwidth was resold as "residential IPs" to paying customers who mostly never asked where the IPs came from. This article explains how botnet-sourced pools actually work, why the risk lands on buyers and not just providers, and the questions that separate an ethical pool from a laundered one.

What Are Ethically Sourced Residential Proxies?

A residential proxy IP is only as legitimate as the way the device behind it joined the pool. Ethically sourced residential proxies pass three tests:

  • Informed consent. The device owner explicitly agreed — in language a normal person can understand — to share idle bandwidth with third parties. Not a clause buried on page 40 of a license agreement; a disclosed, deliberate opt-in.
  • Compensation. The owner receives something real in exchange: payment, credits, or a clearly framed free service. Bandwidth has value, and a pool that pays nothing for it is answering an important question badly.
  • Revocability. The owner can see that sharing is active and can stop it at any time, at which point the device leaves the pool.

Fail any of the three, and the "residential proxy" is functionally someone's internet connection being used without their meaningful agreement — whatever the paperwork says.

How Botnet-Sourced Proxy Pools Work

Popa is the current example, but the supply chain it used is a pattern, and it is worth understanding because it is invisible from the buyer's side.

Devices are compromised at scale — through malicious apps, trojanized firmware, or software bundles that install silently. Smart TVs made an ideal target for Popa: they are always on or in standby, they sit behind genuine household IP addresses that anti-bot systems inherently trust, they run no security software, and virtually nobody monitors their TV's network traffic. Reporting puts Popa's footprint at roughly 2 million such devices.

The infected devices then phone home and become exit nodes. Their bandwidth is aggregated, wholesaled, and resold — often through several layers of intermediaries. Each layer of resale launders the origin a little more, until the IPs surface in a polished dashboard with a country flag and an uptime metric. By the time a customer selects "United States — residential" from a dropdown, nothing on the screen distinguishes a consenting household from a hijacked television.

That is the structural problem: sourcing is invisible at the point of sale. The dashboard looks identical either way. The only way to know is to ask — and to treat the quality of the answer as part of the product.

The Risk Lands on Buyers Too

It is tempting to file the Popa story under "the provider's problem." NetNut's customers learned otherwise, in four distinct ways.

Legal exposure

Traffic you route through a hijacked device transits a computer being used without its owner's authorization. Buyers are rarely the target of enforcement, and none have been charged in the NetNut case — but "our vendor did the crime, we just bought the output" is a conversation you want to have with counsel before it happens, not after. If you operate in a regulated industry, it may also be a reportable vendor incident.

Compliance and vendor risk

If your company maintains SOC 2, ISO 27001, or any serious procurement process, a proxy provider is a vendor like any other. A seized vendor is a failed vendor-risk assessment on your books. "We compared prices and pool sizes" is not due diligence, and auditors are about to start saying so.

Business continuity

Domain seizures execute without notice. Every scraper, monitor, and pipeline pointed at NetNut failed at once on July 2, with no migration window and no support channel. A provider whose supply chain can be seized is a single point of failure you cannot see on a status page.

Data exposure

Whatever a seized provider held — your registration details, payment records, usage logs, target domains — is now evidence in someone else's case. You inherit that exposure retroactively, for as long as you were a customer.

Seven Questions to Ask Any Proxy Provider

You do not need subpoena power to vet a proxy pool. You need seven questions and the discipline to walk away from bad answers:

  1. Where exactly do your residential IPs come from — which apps, SDK partners, or recruitment channels?
  2. What does the device owner see at the moment they opt in? Can you show me the actual consent screen?
  3. What do participants receive in exchange for their bandwidth?
  4. How does a participant opt out, and how quickly does their IP leave the pool?
  5. What legal entity am I contracting with, and in which jurisdiction?
  6. Do you audit your supply partners and resellers, or can anyone wholesale bandwidth into your pool?
  7. What is your acceptable-use policy, and what do you log?

A provider running a consent-based pool can answer all seven with specifics, because the answers are just a description of how its business works. A provider that answers with "proprietary network," urgency, or a discount is answering question one — just not the way it intended.

Consent-Based vs Botnet-Sourced: The Difference at a Glance

Consent-based poolBotnet-sourced pool
How devices joinDisclosed opt-in via an app or SDKMalware, trojanized firmware, silent bundling
What the owner knowsSharing is visible and explainedNothing
CompensationPayment, credits, or a clearly framed free serviceNone — the bandwidth is stolen
Opt-outAny time; device leaves the poolOnly by discovering and removing the infection
Buyer's continuity riskNormal commercial riskSeizure without notice
Cost floorReal, because peers are paidNear zero — which is why impossible prices are a signal

That last row deserves a sentence. Consent costs money: recruiting participants, paying them, running opt-out infrastructure. Stolen bandwidth costs almost nothing. When a price looks like it could not possibly pay a real human for their connection, take the hint and ask harder questions — cheap is not proof of wrongdoing, but it is never evidence of consent.

How Consent-Based Sourcing Works in Practice

The mechanics are unglamorous, which is rather the point. Participants join through an app or an SDK partnership that discloses the arrangement up front, in plain language: your idle bandwidth will be shared; here is what you get for it. Their devices then serve as exit nodes only while sharing is active, and the participant can see and end the arrangement. The pool's supply is a ledger of agreements rather than a haul of infections.

This is the model ProxyHat's residential pool is built on, and it shapes the economics you see on the pricing page: traffic starts at $10 for 1 GB and scales down to $3.60/GB at 500 GB — a price structure that can afford to pay its peers. Purchased traffic never expires, which has a quiet ethical dimension of its own: a provider whose revenue does not depend on your allowance burning down each month has no incentive to push volume you do not need.

We will not pretend the industry sorts neatly into saints and botnets — sourcing exists on a spectrum, and honest providers can still answer some of the seven questions better than others. But after Popa, the direction of travel is clear: consent is becoming the product, and the dashboards are finally going to have to show their supply chains.

Key takeaways:

  • Ethically sourced residential proxies pass three tests: informed consent, real compensation, and revocability.
  • Botnet pools like Popa (~2 million hijacked smart TVs) are invisible from the buyer's dashboard — sourcing only shows up when you ask.
  • Buyers carry real risk from unethical pools: legal exposure, failed vendor-risk reviews, zero-notice outages, and data caught up in investigations.
  • Seven direct questions vet any provider; specifics are a good sign, "proprietary network" is not, and impossibly cheap bandwidth is a signal in itself.

Frequently Asked Questions

Are residential proxies legal?

Yes, buying and using residential proxies is legal in most jurisdictions. The legal and compliance risk comes from sourcing: routing traffic through devices whose owners never consented — as with botnet-fed pools like Popa — can expose buyers to investigations, failed vendor-risk reviews, and sudden service seizures.

What was the Popa botnet?

A network of roughly 2 million compromised smart-TV devices whose bandwidth was resold as residential proxy IPs. It came to public attention on July 2, 2026, when the FBI and Google seized the domains of NetNut, a major proxy provider alleged to have sold access to Popa-sourced IPs.

How do I know if a proxy provider is ethically sourced?

Ask for specifics: which apps or SDK partners supply bandwidth, what device owners see when they opt in, what they are paid, and how they opt out. Ethical providers can answer with documentation; vague answers about a "proprietary network" are a warning sign.

Can I get in trouble for using botnet-sourced proxies?

Buyers are rarely prosecuted, but the exposure is real: your traffic transits hijacked devices, your account data can end up inside an investigation, and your compliance posture inherits the vendor's misconduct. When a provider is seized, customers also lose service overnight — as NetNut's did.

Ready to get started?

Access 50M+ residential IPs across 148+ countries with AI-powered filtering.

View PricingResidential Proxies
← Back to Blog